Microsoft Office Client-Side Attack

The Java Signed Applet attack is a very well known and used Social Engineering attack vector for getting reliable code execution on a system. As many of you may know, Oracle recently released an update that prevents self-signed applets from executing. Because of this, this attack just got a little more difficult to execute. In my opinion, this attack vector is close to dead. As a result, Pentesters will need to start looking at other reliable methods for getting code execution through Social Engineering. I have done a little work on this over the past few weeks, so I figured I would put all the information in one place.

This attack technique leverages Invoke-Shellcode. You have 2 options when using this attack. You can either host Invoke-Shellcode, or you can use @mattifestation‘s PowerSploit module and embed Invoke-Shellcode within the macro. Here’s an example:

Out-EncodedCommand -ScriptBlock ([scriptblock]::Create((ls Function:\Invoke-Shellcode).Definition + “Invoke-Shellcode -Shellcode (@(1,2,3)) -Force`n`n”)).

If you haven’t looked at PowerSploit, check it out. It is a great tool.

1. Disable Proxy Settings

This macro disables any proxy settings, executes a payload and then persists by adding 2 scheduled tasks. One executes a payload after 30 minutes of idle time and the other kills any proxy settings after 30 minutes of idle time. This macro will take care of any troublesome proxies.

The code for this can be found here:

https://github.com/enigma0x3/Office-Client-Side-attack/blob/master/ProxyMacro

And a walk-though can be found here:

https://enigma0x3.wordpress.com/2014/01/15/new-feature-added-to-powershell-payload-excel-delivery/

2. Persist with Scheduled Tasks

This macro simply executes a payload and then persists by scheduling a task that executes a new payload after 30 minutes of idle time.

The code can be found here:

https://github.com/enigma0x3/Office-Client-Side-attack/blob/master/SchTasksMacro

And a walk-through can be found here:

https://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/

3. Web Persistence

This macro executes a payload and then creates a registry key that executes a hosted persistence script. This persistence script basically goes out and checks the set website for the set keyword. If the keyword is found, it executes a new payload.

The code can be found here:

https://github.com/enigma0x3/Office-Client-Side-attack/blob/master/WebPersistenceMacro

And a walk-through can be found here:

https://enigma0x3.wordpress.com/2014/01/17/command-and-control-using-powershell-and-your-favorite-website/

4. Persist by dropping malicious Normal.dotm and calling it on startup:

The code can be found here:

https://github.com/enigma0x3/WordPersistence

And a walk-through can be found here:

https://enigma0x3.wordpress.com/2014/01/23/maintaining-access-with-normal-dotm/

Hopefully this can be of some use. Let me know if you have questions or problems. *RIP Signed Java Applet Attack*

-Matt Nelson (@enigma0x3)

2 thoughts on “Microsoft Office Client-Side Attack

  1. Again, nice work Matt! Just so that people are aware, hosting Invoke-Shellcode isn’t absolutely necessary. You can certainly embed a compressed, encoded version of the payload in the within the macro. Here’s an example of how you could automate the generation of the payload using PowerSploit (assuming the module is loaded):

    Out-EncodedCommand -ScriptBlock ([scriptblock]::Create((ls Function:\Invoke-Shellcode).Definition + “Invoke-Shellcode -Shellcode (@(1,2,3)) -Force`n`n”))

    Cheers,
    Matt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s