Home

Awesome

RobustPentestMacro

This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques like sandbox evasion, WMI persistence and page substitution. Intended to be able to infect both Windows and Mac OS X Office platforms by implementing platform-detection logic.

Created to make it possibly to simply Paste Payload then Copy & Paste entire macro into phished document.

For list of example Macro generation and usage scenarios one can check out author's gist here:

Various-Macro-Based-RCEs.md


SYNOPSIS:

This is a skeleton code for the malicious Macro that could be used during Penetration Testing assignments (or for education purposes), in order to embed it within Phishing documents as a Microsoft Office macro.

There are following features implemented:

One should definitely feed this script into some kind of Visual Basic obfuscator, like the author's one: VisualBasicObfuscator

The macro's code has been built up from other author's building blocks:


CONFIGURATION

The most essential configuration here is filling up functions like MalwareWindows() and MalwareMac(). One can for instance leverage Empire stager's functionality and obtain two payloads - for:

Then one have to put this way generated macros into aforementioned Malware*() functions. The penetration tester also can use buil-in primitives like:

For instance, such modifications to the script could look like:

Private Sub WindowsMalware()
	[...]
	str = "powershell -noP -sta -w 1 -enc  ABCDEFGHIJKLMNOPQ"
    str = str + "ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789"
    ' Rest of the powershell command cut for brevity
    ' [...]
    str = str + "ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789"
    
    ExecuteCommandAndPersist str, ""
End Sub

Private Sub MacMalware()  
	[...]
	cmd = "abcdefghijlmnopqrstuxwyz012345678990"
    cmd = cmd + "abcdefghijlmnopqrstuxwyz012345678990"
    ' Rest of bash command cut for brevity
    ' [...]
    cmd = cmd + "abcdefghijlmnopqrstuxwyz012345678990"
    
    Dim fullCommand As String
    fullCommand = "echo ""import sys,base64;exec(base64.b64decode(\"" " & cmd & " \""));"" | python &"

    ExecuteCommandAndPersist fullCommand, ""

Also, there are Const options documented within code's CONFIGURATION section that are self-explanatory and left to be reviewed by the user.


SOCIAL ENGINEERING SHAPE REMOVAL:

In order to leverage this feature, one has to prepare a fake "Enable Content" warning message like for instance Microsoft Office compatibility issues, AV scanned flag or something imaginary, and then to create a shape consisting of TextBox (via INSERT -> Shapes... -> TextBox). Then cover the document with this shape. Having that, one has to rename that shape using the path:

(Ribbon -> HOME -> Editing -> Select... -> Selection Pane -> give it a name, like "**warning-div**")

After that, the shape can be further modified to be floating and cover up entire document by clicking:

Right click on shape -> Move selected shape -> then setting up Position and Size to 100%, Left-Top aligned.

Among various Social Engineering shapes that could be used - two of them had been attached to this repository:

Example shape


TODO:


KNOWN BUGS:


DISCALIMER:

The author of this code is not taking any responsibilities of any illegal usage of it. The code had been created solely for Penetration Testing purposes.


☕ Show Support ☕

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! 💪


Author

   Mariusz Banach / mgeeky, '17
   <mb [at] binary-offensive.com>
   (https://github.com/mgeeky)