Skip to content

ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955-Go

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 

Repository files navigation

Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (Go version)

Vulnerable: git, GitHub CLI (gh), GitHub Desktop, Visual Studio Code, SourceTree, SmartGit, GitKraken etc.

Discovered by Dawid Golunski

Tested on Windows on:

git, GitHub CLI (gh), GitHub Desktop, Visual Studio Code, SourceTree, SmartGit, GitKraken etc.

Basically, the whole Windows dev world ;)

Check out the full advisories for details and patch information:

Video PoC:

There's also a BAT / Powershell version of this exploit in a repo with LFS enabled already:


                        .;lc'
                    .,cdkkOOOko;.
                 .,lxxkkkkOOOO000Ol'
             .':oxxxxxkkkkOOOO0000KK0x:'
          .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
       ':oxxxxxxxxxxo;.       .:oOKKKXXXNNNNOl.
      '';ldxxxxxdc,.              ,oOXXXNNNXd;,.
     .ddc;,,:c;.         ,c:         .cxxc:;:ox:
     .dxxxxo,     .,   ,kMMM0:.  .,     .lxxxxx:
     .dxxxxxc     lW. oMMMMMMMK  d0     .xxxxxx:
     .dxxxxxc     .0k.,KWMMMWNo :X:     .xxxxxx:
     .dxxxxxc      .xN0xxxxxxxkXK,      .xxxxxx:
     .dxxxxxc    lddOMMMMWd0MMMMKddd.   .xxxxxx:
     .dxxxxxc      .cNMMMN.oMMMMx'      .xxxxxx:
     .dxxxxxc     lKo;dNMN.oMM0;:Ok.    'xxxxxx:
     .dxxxxxc    ;Mc   .lx.:o,    Kl    'xxxxxx:
     .dxxxxxdl;. .,               .. .;cdxxxxxx:
     .dxxxxxxxxxdc,.              'cdkkxxxxxxxx:
      .':oxxxxxxxxxdl;.       .;lxkkkkkxxxxdc,.
          .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
             .':oxxxxxxxxx.ckkkkkkkkxl,.
                 .,cdxxxxx.ckkkkkxc.
                    .':odx.ckxl,.
                        .,.'.

https://exploitbox.io https://twitter.com/Exploit_Box

Stay tuned

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages