Wargames part 1 Delivering payloads by Email

wargames

For the demonstration purposes lets presume the target is using Windows 8.1 64bit, MS Office 2010 + Outlook and some form of Antivirus protection – in this case Avast NOD32 ver.7

Metasploit tools folder has many useful programs and for this exercise I have chosen the exe2vba.rb script to encode our stealth executable payload as a VBA script

committer_count.rb    module_author.rb      pack_fastlib.sh
context               module_changelog.rb   pattern_create.rb
convert_31.rb         module_commits.rb     pattern_offset.rb
cpassword_decrypt.rb  module_count.rb       payload.exe
dev                   module_disclodate.rb  payload_lengths.rb
exe2vba.rb            module_license.rb     payload.txt
exe2vbs.rb            module_mixins.rb      pdf2xdp.rb
find_badchars.rb      module_payloads.rb    profile.sh
halflm_second.rb      module_ports.rb       psexec.rb
hmac_sha1_crack.rb    module_rank.rb        reg.rb
import_webscarab.rb   module_reference.rb   verify_datastore.rb
list_interfaces.rb    module_targets.rb     virustotal.rb
lm2ntcrack.rb         msf_irb_shell.rb      vxdigger.rb
memdump               msftidy.rb            vxencrypt.rb
metasm_shell.rb       nasm_shell.rb         vxmaster.rb
user@Obelix:~/stuff/metasploit/tools$

For the executable payload I have used the custom meterpreter loader, which gets by all AVs just fine – Custom Meterpreter Loader 

The script output is simple and straightforward. It creates a VB source code that needs to be placed as a macro into a MS Word document and saved within the document. The ASCII encoded executable along with the function header needs to be hidden somewhere in the text itself, best location is probably a few pages down at the end.  (This step should be done on a VM Windows system with MS Office)

Next I have configured a mail system on my host in order to send an email to the VM where the “user” sits. I have used the basic Debian setup :

  • Postfix
  • Courier-pop3d  (Maildir)

I had a default /var/mail/user Mailbox format so I had to change to Maildir in /home/user/Maildir . Postfix is configured to deliver mail locally only because we will connect with a mail client from the VM to the host POP3. Just a note, you need to add  “home_mailbox = Maildir/” to /etc/postfix/main.cf  and create a Maildir structure in your home directory. Mailing system can be a little tricky to setup if you haven’t done this before. After everything is ready we can test/connect to our new mailbox from the VM Outlook. I dont use bridging in KVM-QEMU, so everything that runs on the host is accessible from the VM as  IP 10.0.2.2

Next we simulate a real life email message from our host. I have used ALPINE for terminal as it suits me best for what I need. As #root I mail to user@obelix (In the first part of the video there is a typo in the mail address : user@Oblelix) attach the evil document and send away.

On the host we are using Windows 8.1 64bit with Avast NOD32 7 and MS Office 2010. In order for the macro to run, user needs to enable the button at the top of the document when opened from Outlook directly.  The payload does its stuff, bypasses AV and spawns a reverse shell on the host.

Here is the video summary of Wargames pt.1

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s