[ WORK FLOW - CONFIG REQUIRED SETTINGS ] 'GET_SYSTEM' allows users to elevate current session (client) to nt authority/system 'Its advice to run this option the first time the module runs, to elevate client privileges'
[ WORK FLOW - CONFIG REQUIRED SETTINGS ] 'MACRO_BYPASS' will add to target regedit 2 registry keys 'VBAWarnings' and 'AccessVBOM'
that changes the security level for Word/Excel macro down to 'Enable all macros'. VBAWarnings - registry description AccessVBOM - registry description
[ WORK FLOW - CONFIG REQUIRED SETTINGS ] 'REVERT_BYPASS' will allow us to revert to default office macro security settings or
if used the option 'DWORD' we can set a diferent dword value (only available in 'revert_bypass')
[ WORK FLOW - MODULE DEFAULT SETTINGS ]
bypass_macro_sandbox.rb uses pre-defined 'default settings' to make exploiting time faster:
By default we dont need to config any of this settings unless the user wants to, that can
be acomplished (manually) by executing: 'set [option][value inputed by user]'.
[ MODULE ERROR REPORTS ]
New metasploit release have changed the class name to use 'MetasploitModule' so
if you are seeing this display it means that your metasploit its using an old class name.
To fix this display just edit one of metasploit modules and check what class name
your version its using, then replace in my module the (class MetasploitModule) constante...
[ MODULE ERROR REPORTS ]
This post-module It runs only against Windows systems, if the user tries to run it againts other systems, then wil present one 'unsupported' display and aborts module execution...
[ MODULE ERROR REPORTS ] 'REVERT_BYPASS' changes macro security settings (regedit) to default values (dword:2) unless the user decides to set 'VBAWarnings' another dword value "set DWORD <value>"
revert_bypass funtion allows users to set 'VBAWarnings' from dword:2 to dword:4 values, if user trys to set a non-supported dword value then my module will warn user and aborts execution...</value>
[ POST - MODULE LIMITATIONS ]
Thismoduleonlyrunsagaintswindowssystems(nativecmdsyntax)Aspartofpost-exploitationclassthismodulerequiresoneopensessionThismoduleonlyrunsinameterpretershellenviroment(meterpreterclient)"Target system needs to be reboot for the registry changes take effect"...
[ BYPASS_MACRO_SANDBOX ]
Version: 1.6 Author: pedr0 Ubuntu [ r00t-3xp10it ]
Hosted By: peterubuntu10[at]sourceforge[dot]net
http://sourceforge.net/projects/msf-auxiliarys/
https://sourceforge.net/p/msf-auxiliarys/repository/ci/master/tree/bypass_macro_sandbox.rb
[ MODULE DESCRIPTION ]
[ MODULE ADVANCED OPTIONS ]
[ WORK FLOW - CONFIG REQUIRED SETTINGS ]
'GET_SYSTEM' allows users to elevate current session (client) to nt authority/system
'Its advice to run this option the first time the module runs, to elevate client privileges'
[ WORK FLOW - CONFIG REQUIRED SETTINGS ]
'MACRO_BYPASS' will add to target regedit 2 registry keys 'VBAWarnings' and 'AccessVBOM'
that changes the security level for Word/Excel macro down to 'Enable all macros'.
VBAWarnings - registry description
AccessVBOM - registry description
[ WORK FLOW - CONFIG REQUIRED SETTINGS ]
'REVERT_BYPASS' will allow us to revert to default office macro security settings or
if used the option 'DWORD' we can set a diferent dword value (only available in 'revert_bypass')
[ WORK FLOW - MODULE DEFAULT SETTINGS ]
bypass_macro_sandbox.rb uses pre-defined 'default settings' to make exploiting time faster:
By default we dont need to config any of this settings unless the user wants to, that can
be acomplished (manually) by executing: 'set [option] [value inputed by user]'.
[ MODULE ERROR REPORTS ]
New metasploit release have changed the class name to use 'MetasploitModule' so
if you are seeing this display it means that your metasploit its using an old class name.
To fix this display just edit one of metasploit modules and check what class name
your version its using, then replace in my module the (class MetasploitModule) constante...
[ MODULE ERROR REPORTS ]
This post-module It runs only against Windows systems, if the user tries to run it againts other systems, then wil present one 'unsupported' display and aborts module execution...
[ MODULE ERROR REPORTS ]
'REVERT_BYPASS' changes macro security settings (regedit) to default values (dword:2)
unless the user decides to set 'VBAWarnings' another dword value "set DWORD <value>"
revert_bypass funtion allows users to set 'VBAWarnings' from dword:2 to dword:4 values, if user trys to set a non-supported dword value then my module will warn user and aborts execution...</value>
[ POST - MODULE LIMITATIONS ]
[ PORT MODULE TO METASPLOIT DATABASE ]
[ LOAD - USE MODULE ]
[ CREDITS ]
Suspicious Shell Activity - RedTeam develop @2016
[ VIDEO TUTORIAL ]
Video not available
Last edit: pedro ubuntu 2016-08-30