adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update office_word_macro exploit to support template injection

Browse Source
This commit is contained in:
wchen-r7
2017-05-25 15:53:45 -05:00
parent e4ea618edf
commit ee13195760
19 changed files with 273 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/multi/fileformat/office_word_macro.md
+56 -37
View File
@@ -1,13 +1,16 @@
## Description
This module generates a macro-enabled Microsoft Office Word document. It does not target a specific
CVE or vulnerability, this is more of a feature-abuse in Office, however this type of
social-engineering attack still remains common today.
This module generates a macro-enabled Microsoft Office Word document (docm). It does not target a
specific CVE or vulnerability, instead it's more of a feature-abuse in Office, and yet it's still a
popular type of social-engineering attack such as in ransomware.
There are many ways to create this type of malicious doc. The module injects the Base64-encoded
payload in the comments field, which will get decoded back by the macro and executed as a Windows
executable when the Office document is launched.
By default, the module uses a built-in Office document (docx) as the template. It injects the
Base64-encoded payload into the comments field, which will get decoded back by the macro and executed
as a Windows executable when the Office document is launched.
If you do not wish to use the built-in docx template, you can also choose your own. Please see more
details below.
## Vulnerable Application
@@ -22,58 +25,74 @@ Specifically, this module was tested specifically against:
* Microsoft Office 2016.
* Microsoft Office Word 15.29.1 (161215).
## Building the Office Document Template
It is recommended that you build your Office document (docx) template from either one of these
applications:
* Google Docs
* Microsoft Office Word
**Google Docs**
Google Docs is ideal in case you don't have Microsoft Office available.
Before you start, make sure you have a Gmail account.
Next, to create a new document, please go to the following:
[https://docs.google.com/document/?usp=mkt_docs](https://docs.google.com/document/?usp=mkt_docs)
To save the document as a docx on Google docs:
1. Click on File
2. Go to Download as
3. Click on Microsoft Word (.docx)
**Microsoft Office Word**
If you already have Microsoft Office, you can use it to create a docx file and use it as a template.
## Verification Steps
**To use the default template**
1. ```use exploit/multi/fileformat/office_word_macro```
2. ```set PAYLOAD [PAYLOAD NAME]```
3. Configure the rest of the settings accordingly (BODY, LHOST, LPORT, etc)
3. Configure the rest of the settings accordingly (LHOST, LPORT, etc)
4. ```exploit```
5. The module should generate the malicious docm.
**To use the custom template**
1. ```use exploit/multi/fileformat/office_word_macro```
2. ```set PAYLOAD [PAYLOAD NAME]```
3. ```set CUSTOMTEMPLATE [DOCX PATH]```
4. Configure the rest of the settings accordingly
5. ```exploit```
6. The module should generate the malicious docm.
## Options
**BODY** Text to put in the Office document. See **Modification** below if you wish to modify more.
## Demo
In this example, first we generate the malicious docm exploit, and then we set up a
windows/meterpreter/reverse_tcp handler to receive a session. Next, we copy the docm
exploit to a Windows machine with Office 2013 installed, when the document runs the
macro, we get a session:
![macro_demo](https://cloud.githubusercontent.com/assets/1170914/22602348/751f9d66-ea08-11e6-92ce-4e52f88aaebf.gif)
## Modification
To use this exploit in a real environment, you will most likely need to modify the docm content.
Here's one approach you can do:
1. Use the module to generate the malicious docm
2. Copy the malicious docm to the vulnerable machine, and edit it with Microsoft Office (such as 2013).
When you open the document, the payload will probably do something on your machine. It's ok,
since you generated it, it should not cause any problems for you.
3. Save the doc, and test again to make sure the payload still works.
While editing, you should avoid modifying the following unless you are an advanced user:
* The comments field. If you have to modify this, make sure to create 55 empty spaces
in front of the payload string. The blank space is for making the payload less obvious
at first sight if the user views the file properties.
* The VB code in the macro.
**CUSTOMTEMPLATE** A docx file that will be used as a template to build the exploit.
## Trusted Document
By default, Microsoft Office does not execute macros automatically unless it is considered as a
trusted document. This means that if a macro is present, the user will most likely need to manually
click on the "Enable Content" button in order to run the macro.
click on the "Enable Content" or "Enable Macro" button in order to run the macro.
Many in-the-wild attacks face this type of challenge, and most rely on social-engineering to trick
the user into allowing the macro to run. For example, making the document look like something
written from a legit source, such as [this attack](https://motherboard.vice.com/en_us/article/these-hackers-cleverly-disguised-their-malware-as-a-document-about-trumps-victory).
To truly make the macro document to run without any warnings, you must somehow figure out a way to
To truly make the macro document run without any warnings, you must somehow figure out a way to
sign the macro by a trusted publisher, or using a certificate that the targeted machine trusts.
If money is not an issue, you can easily buy a certificate on-line:
[https://www.sslshopper.com/microsoft-vba-code-signing-certificates.html](https://www.sslshopper.com/microsoft-vba-code-signing-certificates.html)
For testing purposes, another way to have a certificate is to create a self-signed one using
Microsoft Office's SELFCERT.exe utility. This tool can be found in the following path on
Windows: