-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Commvault Remote Command Injection #9340
Conversation
} | ||
], | ||
], | ||
'Privileged' => false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Privileged
should probably be true
if the default configuration results in a shell as SYSTEM
, given that the module only supports Windows targets.
|
||
register_options( | ||
[ | ||
Opt::RPORT(8400), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Contains a redundant ,
Could also be rewritten as:
register_options([Opt::RPORT(8400)])
def exploit | ||
|
||
print_status("Executing payload") | ||
buf = build_exploit() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Redundant ()
|
||
def exploit | ||
|
||
print_status("Executing payload") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Executing payload
should probably go after the connect
method and Connected to Commvault Communications Service
message.
Perhaps consider:
# Connect
print_status("Connecting to Commvault Communications Service.")
connect
# Send the payload
print_status("Executing payload")
sock.put(buf)
ret_data = [payload.length].pack('I>') | ||
ret_data += payload | ||
|
||
return ret_data |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return
is redundant when used as the last line of a method.
command = command[(idx)..-1] | ||
|
||
#Build packet | ||
cmd_path = "C:\\Windows\\System32\\cmd.exe" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As string interpolation isn't required, this can be replaced with:
cmd_path = 'C:\Windows\System32\cmd.exe'
Does the exploit work with %COMSPEC%
? This may have the added benefit of working on system which have Windows
directory mounted elsewhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately this is a file path passed to CreateProcess so it cannot be %COMSPEC%.
|
||
def build_exploit() | ||
|
||
ret_data = '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this required? It gets re-initialized later at line 98.
end | ||
|
||
|
||
def build_exploit() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Redundant ()
Looks like
|
Requested changes have been committed. |
Trying to verify this exploit, but it seems the vendor cannot even provide a trial version for download. |
Verified! Works as advertised:
I will be landing this PR shortly :-) |
Release NotesThis module exploits a command injection in Commvault's CVD process, which results in arbitrary remote code execution under the context of SYSTEM. |
Command Injection Exploit for Commvault Communications Service (cvd) v11 SP5 and earlier versions
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/misc/commvault_cmd_exec