-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Libreoffice macro exec exploit module #11729
Conversation
[ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ] | ||
], | ||
'Platform' => [ 'win', 'linux' ], | ||
'Arch' => [ ARCH_X86, ARCH_X64 ], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While 'Arch' here seems to indicate I can select a 64-bit payload, the targets below restrict this to just 32-bit.
I wonder if you couldn't just use 'ARCH_ALL', since I don't think it actually matters for this exploit.
Executing a default payload in this context hangs LibreOffice, if the payload does not return execution to the script. I think setting PrependMigrate / PrependFork is a must for any native payloads. Would it make sense to have that automatically configured by the module? |
That makes sense to me. Thank you! |
Perfect, thanks! |
Release NotesThe multi/fileformat/libreoffice_macro_exec exploit module has been added to the framework. This module exploits a directory traversal vulnerability in LibreOffice v6.1.0-6.1.2.1 that enables remote code execution by running sample macros bundled with the suite. |
This module exploits a directory traversal vulnerability in LibreOffice
v6.1.0-6.1.2.1
that enables remote code execution.LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. A macro can be tied to a program event by including the script that contains the macro and the function name to be executed. Additionally, a directory traversal vulnerability exists in the component that references the Python script to be executed. This allows a program event to execute functions from Python scripts relative to the path of the samples macros folder. The
pydoc.py
script included with LibreOffice contains thetempfilepager
function that passes arguments toos.system
, allowing RCE.This module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code. Tested on LibreOffice versions
6.1.0.1
and6.1.2.1
on Windows and Linux.Note:
6.0.x
and6.1.3.x
versions are reportedly vulnerable to the directory traversal attack, but are not exploitable by this module due to the lack of ability to pass arguments.Verification
use exploit/multi/fileformat/libreoffice_macro_exec
set FILENAME <name>
set LHOST <ip>
set LPORT <port>
run
Scenarios