Client Side Code Execution With Office

Client Side Code Execution With Office

Index:

Payload Droppers

Attack Scenario (C2 Agent Payload delivery)

  • Staged payload delivery. Client tricked into executing “dropped” payload, stage 1 requests the remaining implant code from the C2 server.
  • Malware code either written to disk or running in memory
  • Malware “Beacons” to the C2 server to communicate with attacker leveraging HTTP, HTTPS, DNS, etc, to blend with regular traffic.

This course uses Metasploit as the C2 framework

Staged vs Non-staged Payloads

In Metasploit, the naming convention is as follows:

Non-staged examples:

  • windows/shell_reverse_tcp
  • windows/x64/meterpreter_reverse_https

Staged examples:

  • windows/shell/reverse_tcp
  • windows/x64/meterpreter/reverse_https

Building our Droppers

Hosting a basic reverse shell executable with a non-staged payload
Hosting a Meterpreter staged Payload

HTML Smuggling

For example, an attacker may embed a link in an email. When the victim reads the email and visits the webpage, JavaScript code will use HTML Smuggling1 to automatically save the dropper file.

Can be achieved through the use of the download attribute anchor tag:
Alternatively we can use JavaScript to trigger the download automatically.

Phishing with Microsoft Office

Full Module:

Phishing with Microsoft OfficePhishing with Microsoft Office

Note: On the lab VM’s, we will need to install Office (found at C:\installs\Office2016.img).

VBA

Microsoft Office allows VBA scripting with Macros.

To edit a Macro in the context of the current Word Doc, go to View/Macros and select the current document, enter a name for the Macro, then click create.
Basic VBA examples.
To execute a macro automatically, we can utilise Document_Open() or Auto_Open() which will execute when the doc is opened. Or Workbook_Open() in Excel.
Example Macro to launch cmd.exe using Shell and vbHide to hide the console window.
Alternatively, we can use Windows Script Host to launch a shell with the value 0 to hide the console window.

The Macro must be saved .doc (Word 97-2003 Document) or .docm (Word Macro-Enabled Document) format to store macros.

When A document with Macros loads, Microsoft defaults to checking with the user before executing the macros, meaning we need to persuade the Victim to enable content when phishing.
When Protected View is enabled, macros are disabled, external images are blocked, and the user is presented with an additional warning message, macros are disabled and external images are blocked.

Using PowerShell within VBA Macros

Basic PowerShell Download File Script:
Downloading and executing the file
Embedding the File download and execution into VBA Macro

Pretexting

A phishing attack exploits a victim's behavior, leveraging their curiosity or fear to encourage them to launch our payload despite their better judgement. Popular mechanisms include job applications, healthcare contract updates, invoices or human resources requests, depending on the target organization and specific employees.

In the case of delivering a Office Macro enabled payload, we should attempt to convince the user to Enable Editing and Enable Content to properly view the document.

Example:

To maintain stealth, when the user runs the macros, they should be presented with the content. We can do this by using macros to switch out the “encrypted content” for the “real content”

Example:
To do this:
Updated payload (replaces content, downloads staged implant and executes reverse shell).

Executing Shellcode in Word Memory

This method avoids downloading the exe to disk by executing the shell payload entirely in memory.

This concept exceeds the limits of VBA. This is partly due to the fact that the staged Meterpreter payload is actually pure assembly code that must be placed in a memory location and executed. Instead of using pure VBA, we can leverage native Windows operating system APIs1 within VBA.

Calling Win32 APIs from VBA

Example 1 - using GetUserName API to print the users username in a MsgBox

VBA Shellcode Runner

This section outlines how to use Win32 APIs to execute shellcode in memory, avoiding downloading a file to disk. This generally uses the following Win32 APIs from Kernel32.dll: 

  • VirtualAlloc
  • RtlMoveMemory
  • CreateThread
First we need to generate the Meterpreter shellcode.
Payload:

Powershell Shellcode Runner

Although we have a working exploit, there's room for improvement. First, the document contains the embedded first-stage Meterpreter shellcode and is saved to the hard drive where it may be detected by antivirus. Second, the VBA version of our attack executed the shellcode directly in memory of the Word process. If the victim closes Word, we'll lose our shell.

Another tactic is to download a PowerShell script that contains the staging shellcode and run it in memory as a child process of Word so that it will not die if Word is closed.

PowerShell with Win32 APIs

PowerShell cannot directly call Win32 APIs. However, it can leverage the .NET Framework and embedded C# (via Add-Type) to access these unmanaged functions.

P/Invoke (Platform Invocation Services):

  • Used to “translate” unmanaged C functions into C# method signatures.
  • Found in the System and System.Runtime.InteropServices namespaces.
  • Helpful resources include www.pinvoke.net for common Win32 API translations.
Example, popping a message box with PowerShell.

Moving our Shellcode Runner to PowerShell

Meterpreter shellcode:
run.ps1 (to be downloaded by VBA Macro)
VBA Macro template
Metasploit Listener

Ensure run.ps1 is serving at http://192.168.45.153/run.ps1

Preventing Artefacts

Since our VBA and PowerShell shellcode runners do not write to disk, it seems safe to assume that they are fully executing from memory. However, PowerShell and the .NET framework leave artifacts on the hard drive that antivirus programs can identify.

Add-Type Compilation

In the previous section, we used Add-Type to compile C# code. When we use this, the Code and compiled assembly are temporarily written to disk. These temporary files can be scanned by AV and flagged. We will attempt to rewrite the code, avoiding writing to disk.

 Leveraging UnsafeNativeMethods

Add-Type calls the csc compiler, alternatively, we can use a technique known as dynamic lookup. This technique involves writing the .NET assembly to memory instead of writing code and compiling it.

To perform a dynamic lookup of function addresses, the operating system provides two special Win32 APIs called GetModuleHandle and GetProcAddress.

Since we cannot create any new assemblies, we'll try to locate existing assemblies that we can reuse.

Code to locate assemblies for re-use:

Now we have identified where unsafe methods are loaded, we now face the problem where we cannot directly call these methods from PowerShell or C#..

To solve this issue, we have to develop a way that allows us to call it indirectly.

Step 1 - Obtain a Reference to System.dll
Step 2 - Obtaining Method References
Step 3 - Resolving Multiple Method Instances
Step 4 - Dynamically Invoke Methods
Step 5 - Combine techniques for lookup function

DelegateType Reflection

Now that we can resolve addresses of the Win32 APIs using the LookupFunc, we must define the argument types.

The delegate type is usually created when the assembly is compiled, but instead we will manually create an assembly in memory and populate it with content.

Example Code

We should configure its access mode to be executable and not saved to disk using DefineDynamicAssembly .

Example Code

We then start building the Assembly content. We create a Module through the DefineDynamicModule, supply a custom name for the module and tell it not to include symbol information.

Example Code

Next we create a custom type that will become our delegate type

Example Code

Next, put the function prototype inside the type and let it become our custom delegate type.

Example Code

Before calling the method, we must set a couple of implementation flags with the SetImplementationFlags method using values outlined in MethodImplAttributes Enum. We choose Runtime and Managed since it is used at runtime and the code is managed code.

Example Code

Next we use DefineMethod to create and specify the settings for the Invoke method. DefineMethod takes the following arguments: name of the method to define, method attributes taken from the MethodAttributes Enum, return type and array of argument types that we already identified when we first introduced our example MessageBox.

Example Code

Finally, To instantiate the delegate type, we call our custom constructor through the CreateType method.

Example Code

Combining the code

We can combine the Prior lookup function with the above code to create a full script that reflectively loads the MessageBox API entirely in memory and avoiding the use of Add-Type for compilation

PowerShell Reflected Shellcode Runner

Provided by Offsec
Customised

Working with Proxies

Many organizations and enterprises force their network communication through a proxy, which can allow security analysts to monitor traffic. In these cases, penetration testers must either ensure that their techniques work through the proxy or if possible, bypass the proxy and its associated monitoring, depending on the situation.

The Meterpreter HTTP and HTTPS payloads are proxy-aware,1 but our PowerShell download cradles may not be.

PowerShell Proxy-Aware Communication

In this module, we have primarily used the Net.WebClient download cradle. This class is currently, by default, proxy-aware (this is subject to change).

The following PowerShell command (which we use above), will launch the request through the proxy if one exists:
We may be able to bypass the request going through the proxy with the following:

Note: In some environments, network communications not going through the proxy will get blocked at an edge firewall. Otherwise, we could bypass any monitoring that processes network traffic at the proxy.

Manipulating User-Agent

The Net.WebClient PowerShell download cradle does not have a default User-Agent set, which means the session will stand out from other legitimate traffic.

We can modify the user agent to blend in with legitimate browser traffic using the following:

SYSTEM user and Proxies

A PowerShell download cradle running in SYSTEM integrity level context does not have a proxy configuration set and may fail to call back to our C2 infrastructure if requests not made through the proxy are blocked.

In this case, we must create a proxy configuration for the built-in SYSTEM account.

User Proxy settings are stored in the following path:
The following code will copy a users proxy settings and apply them to the download cradle

Key Takeaways

SuperMade with Super