-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add LibreOffice LibreLogo exec exploit Module (CVE-2019-9851) #12207
Conversation
uses on dom-loaded event (triggered just after opening the document) and still working on 6.2.5
Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: Carter Brainerd <0xCB@protonmail.com>
Co-Authored-By: Carter Brainerd <0xCB@protonmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
This new CVE explains this exploit (global events are used)
Hi, @LoadLow! I made a PR on your branch that includes changes so your module can use Python payloads. The module works for both Windows and Linux , but an error window now pops up once your Meterpreter session is closed. There might be a specific setting for the |
Use Python instead of platform-dependent code
- Changes target to Automatic - Set default options instead of default target for options - Adds links for the two vulnerabilities exploited by this module - Removes unnecessary double encoding+eval
Hi @space-r7 ! I have changed some options and it should now work without this error popup. |
Tested automatic targeting with Python payload on Linux Mint 19 using the latest commit at the time (
I performed a little experimentation, but nothing thorough. I noticed that exploitation seemed to be a little unreliable. However, this was likely due to alt-tabbing out of the test VM during exploitation, preventing the mousemove event from firing. This is unlikely to be an issue in practice. There's also the issue of leaving lingering
Out of ~20 exploitation attempts, I encountered one system freeze, rendering X unresponsive, which required switching to TTY1 to kill off the Edit: Also, apparently my system ran out of memory which probably wouldn't have helped.
|
Thank you for the feedback ! It seems it is heavier than when we were executing a subprocess with the payload exec by calling |
Metadata part is not mandatory on ODT files
Prevents autosave and further modifications after opening the document on the target system.
|
Without looking into it, or testing the changes since For what it's worth, the session doesn't die when I close the document - not sure if that behavior was introduced in the newer commits? |
Just tested the latest commits on both Windows and Linux. The session dies upon closing LibreOffice on Windows, but stays alive when the file is closed on Linux. It looks like the |
Welp. The original targets could be added back in, leaving python as the default. But I'm happy with the module as is. |
Will keep the single Python target as exploitation is much more likely if the target is unknown. Will see if there is any potential for extending the |
Tested on Windows and Linux with the latest changes:
|
Release NotesThe LibreOffice LibreLogo Exec module has been added to the framework. It exploits a vulnerability in LibreLogo when bundled with LibreOffice. This module generates an |
Follows #12147
Resolves #12103
Exploit written 17 days ago, before CVE-2019-9851 was publicly announced/disclosed.