Microsoft Word Template Injection vulnerability is the explotation of the VB macros mechanism found in ms-word template documents. Microsoft Word has a feature where a user can create a document with a template. Whenever a Word document with a template is being written/read, this templates are being downloaded/used from the local, or remote machine. Thus, the attackers can host a Word Document Template file (.dotm) with malicious macros on their servers. Whenever the victim opens the Word Document, the Document will fetch the malicious template from the attacker's server, and execute it.
In short, template injection takes advantage of Microsoft Office's ability to reach out to a file in your local file system or on a domain to download a template to be used in a document.
This vulnerability contains knowledge from vary edges and mechanisms, here you will be able to find a summary of each of the main topics.
VBA is an implementation of Microsoft's event-driven programming language Visual Basic 6, and is used in Microsoft Application's OLE Automation. The VBA programming language can be used to write the ms-word macros in order to automate the app. In this explotation I have written a macro with VBA which is downloaded and executed by the opening of the document.
In Word, you can automate frequently used tasks by creating and running macros. A macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. I use this automation to run an injected VBA code with the start of the word application, and download the payload.
Here you can find a short explanation of each folder and its contents in the project.
Contains the final payload binary, as well as the malicious dotm file.
data/WinService.txt Contains the textual file of the binary data. In order to download the binary malware without the os blocking the file, I encoded it using certutil to a text file, then in the VBA Macro I will decode it.
Contains the source code for the payload written in C++. In addition, the vba macro folder contains the Visual Basic for Applications code used to write the document's macro.
- VBA (Visual Basic For Applications) - The programming language used to write the macro
- C++ - The programming language used to write the payloaded malware
- Microsoft Office Word - To create a malicious Word document
The POC meant for educational purposes only! you can take this guide to the limits but please, don't you dare to do anything to hurt users in your local enviroment, because I know you already thought about it (Well... most of you)
- Or Gur Arie - Creator and Maintainer - orgurar
This project is licensed under the MIT License - see the LICENSE file for details
- Template Injection - Mitre Attack official report
- Remote Template Injection - MS Template Injection Guide and Blog
- Inject Macros from a Remote Dotm Template - Guide and Lab for Creating a Remote Dotm with Injected Macro