CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/auxiliary/fileformat/odt_badodt.md
Views: 1904
BADODT Module creates an ODT file which includes a file:// link which points back to a listening SMB capture server. This module has been tested on both LibreOffice 6.03 /Apache OpenOffice 4.1.5 and upon opening connects to the server without providing any warning to the user. This allows an attacker the opportunity to potentially steal NetNTLM hashes.
Vulnerable Application
Verification Steps
Install the application
Start msfconsole
Do:
use auxiliary/fileformat/odt_badodtCustomise Options as required
Do:
runA malicious document will then be generated.
Configure auxiliary/server/capture/smb or similar to capture hashes.
Send document to target and wait for them to open.
Options
CREATOR
This option allows you to customise the document author for the new document:
FILENAME
This option allows you to customise the generated filename:
LHOST
This option allows you to set the IP address of the SMB Listener that the .odt document points to:
Scenarios
Install LibreOffice 6.03 or Apache OpenOffice 4.1.5 on a Windows workstation. (Note: This attack does not work against Mac or Linux versions.)
On an attacker workstation, use a tool to serve and capture an SMB share on port 445, capturing NTLM hashes. Note that any tool listening on :445 will require superuser permissions:
Leave the metasploit SMB server listening while the user opens the document. Upon opening the ODT file, the user workstation will attempt to connect (and authenticate) to the attacker workstation:
Finally, crack the hash to capture the user's credentials.