Monday, May 23, 2016

The old Office Binder is back for more client-side funsies!



MS Office documents for targeted attacks: Re-Introducing CANVAS's Binderx module.

In targeted attacks, one of the most effective methods of compromising a remote computer is to send the victim a malicious Microsoft Office document with auto-executed VBA Macro. However,  MS Office Macros are not enabled by default and when a Macro-Embedded document is opened it will present a security warning stating that macros have been disabled and offering to “enable content”.   To achieve a successful exploitation the attacker must persuade the victim to click the button that will allow embedded Macro to run and compromise the system.  We will analyze some of the security warnings in the different MS Office versions.

VBA Macros and Ms Office's file formats

VBA Code or VBA Macros can be included in “legacy” binary formats such as .xls, .doc and .ppt
and in modern XML formatted documents like the Office Open XML file format (OOXML format) supported by MS Office 2007 and later. Documents, templates, worksheets, and presentations that you create in the MS Office 2007 release and later are saved with different file-name extensions with an “x” or an “m”.
For example, when you save a document in MS Word, the file now uses the .docx extension, instead of the .doc extension. 2007 release and later are saved with different file-name extensions with an “x” or an “m”.
For example, when you save a document in MS Word, the file now uses the .docx extension, instead of the .doc extension. To save a Macro-Embedded document you must save it as “Macro-Enabled Document” and the file-name extensions will be .docm (or .xlsm, .pptm, etc.). .

Illustration 1: Word Macro-Enabled documents in legacy format and OOXML format


Security Warnings in MS Office releases

VBA Macros are not enabled by default in MS Office versions. Hence the victim will see different warning messages.


MS Office 2007





MS Office 2010




MS Office 2016





In summary, the following table describes all messages produced when a Macro-Embedded file is opened. (Tested with legacy files and OOXML format files as well)



2007 2010 2013 2016
Security Warning Yes Yes Yes Yes
Security Alert Window Yes No No No


As we can see in the table above, in MS Office 2010 and higher versions there is no Security Alert Window. Of course, as we mentioned before, a successful exploitation relies on your social engineering skills to induce the victim to enable the macro execution.

Introducing Binderx module

CANVAS's Binderx module allows you to create an MS Office blank document with an embedded payload that will be executed using a VBA Macro.

Two types of document files can be created with the module: MS Word or MS Excel (using “legacy” format or OOXML format).

It is worth it to mention that MS Powerpoint does not include auto-execution Macro support like the ones available in MS Word and MS Excel.

Additionally, we added support to both Windows MOSDEF shellcode and PowerShell

Creating a legacy MS Word document with a PowerShell payload
Everyone loves a good shell!


Enjoy it! As always we appreciate any feedback from your experiences with these features during your penetration tests!

AnĂ­bal Irrera.