For the demonstration purposes lets presume the target is using Windows 8.1 64bit, MS Office 2010 + Outlook and some form of Antivirus protection – in this case Avast NOD32 ver.7
Metasploit tools folder has many useful programs and for this exercise I have chosen the exe2vba.rb script to encode our stealth executable payload as a VBA script
committer_count.rb module_author.rb pack_fastlib.sh context module_changelog.rb pattern_create.rb convert_31.rb module_commits.rb pattern_offset.rb cpassword_decrypt.rb module_count.rb payload.exe dev module_disclodate.rb payload_lengths.rb exe2vba.rb module_license.rb payload.txt exe2vbs.rb module_mixins.rb pdf2xdp.rb find_badchars.rb module_payloads.rb profile.sh halflm_second.rb module_ports.rb psexec.rb hmac_sha1_crack.rb module_rank.rb reg.rb import_webscarab.rb module_reference.rb verify_datastore.rb list_interfaces.rb module_targets.rb virustotal.rb lm2ntcrack.rb msf_irb_shell.rb vxdigger.rb memdump msftidy.rb vxencrypt.rb metasm_shell.rb nasm_shell.rb vxmaster.rb user@Obelix:~/stuff/metasploit/tools$
For the executable payload I have used the custom meterpreter loader, which gets by all AVs just fine – Custom Meterpreter Loader
The script output is simple and straightforward. It creates a VB source code that needs to be placed as a macro into a MS Word document and saved within the document. The ASCII encoded executable along with the function header needs to be hidden somewhere in the text itself, best location is probably a few pages down at the end. (This step should be done on a VM Windows system with MS Office)
Next I have configured a mail system on my host in order to send an email to the VM where the “user” sits. I have used the basic Debian setup :
- Courier-pop3d (Maildir)
I had a default /var/mail/user Mailbox format so I had to change to Maildir in /home/user/Maildir . Postfix is configured to deliver mail locally only because we will connect with a mail client from the VM to the host POP3. Just a note, you need to add “home_mailbox = Maildir/” to /etc/postfix/main.cf and create a Maildir structure in your home directory. Mailing system can be a little tricky to setup if you haven’t done this before. After everything is ready we can test/connect to our new mailbox from the VM Outlook. I dont use bridging in KVM-QEMU, so everything that runs on the host is accessible from the VM as IP 10.0.2.2
Next we simulate a real life email message from our host. I have used ALPINE for terminal as it suits me best for what I need. As #root I mail to user@obelix (In the first part of the video there is a typo in the mail address : user@Oblelix) attach the evil document and send away.
On the host we are using Windows 8.1 64bit with Avast NOD32 7 and MS Office 2010. In order for the macro to run, user needs to enable the button at the top of the document when opened from Outlook directly. The payload does its stuff, bypasses AV and spawns a reverse shell on the host.
Here is the video summary of Wargames pt.1