Article Directory
principle
Word remote macro template is to use the word document to load additional templates to initiate a request to the remote server to achieve the purpose of the attack. Requesting and loading remote malicious macro templates can be used to perform malicious actions
The document itself has no malicious code, and only the url pointing to the remote server address in the content, which can bypass the static detection and killing of the security software
achieve
Create a macro template
Two macro templates are generated here, one is the backdoor generated by cs, and the other is the test macro code
Use CS to generate macro code
Create a docx file, Alt+F11 to start the vb editor, paste the code into it, and save it as a dotm file
Test the macro code of the bullet box
Create Load Remote Macro Document File
Create a docx file, unzip the docx, and modify the settings.xml.rels file under ./word/_rels/
Repack
run
Use phpstudy to build a temporary web server and put the two templates in the root directory of the website
After running, the following interface will be captured
A security warning is found, indicating that the macro template has been loaded
Click to enable content, a pop-up box of macro template will pop up
When changing the macro template of the server to the macro code of the cs backdoor, the following prompt will appear, and it needs to be set in the trust center to run
to sum up
There are several key points in implementing remote macro templates
1. Need to create a docx with ./word/_rels/settings.xml.rels file
2. After changing the remote address, compress and decompress the DOCX document directory, which cannot be compressed in the parent directory, but should be compressed in the form of storage only