-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for CVE-2021-21300 and Git mixins #15532
Conversation
@msjenkins-r7 test this please |
Really nice work, @space-r7! |
use methods in git_submodule_command_exec
add fixes to packfile mixin
also includes packfile obj metadata changes
also adds the ability to further customize commits, including the option to use a custom email address, name, commit message, etc.
post-checkout is the only hook that will work with this exploit, so no option is needed. Also update the documentation to reflect that.
This is working for me on macOS:
but I can't seem to get it to work on Windows 10 (https://github.com/git-for-windows/git/releases/tag/v2.29.0.windows.1):
I installed ensured git lfs and symbolic links were enabled during installation. Any ideas? |
Are you running Git Bash as an administrator? Symbolic links on Windows require the |
Ah that was it, thanks! |
Thanks so much! |
Confirmed exploit/multi/http/git_lfs_clone_command_exec against:
Confirmed exploit/multi/http/git_submodule_command_exec with:
Confirmed exploit/multi/http/git_submodule_url_exec with:
|
git version 2.29.0.windows.1 on Windows 10:
|
Release NotesAn exploit module for CVE-2021-21300, a RCE vulnerability in affected Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems. Additionally aset of mixins that aid in exploiting Git clients over the Smart HTTP protocol have been added into Metasploit and the code for older Git-related exploits has been updated to utilize some of this new code. |
Description
This adds an exploit module for CVE-2021-21300 and a set of mixins that aid in exploiting Git clients over the Smart HTTP protocol. This also updates older Git-related exploits to use some of the new code.
Git clients that support delay-capable clean / smudge filters and symbolic links on case-insensitive file systems are
vulnerable to remote code execution while cloning a repository.
Usage of clean / smudge filters through Git LFS and a case-insensitive file system changes the checkout order
of repository files which enables the placement of a Git hook in the
.git/hooks
directory. By default, this module writesa
post-checkout
script so that the payload will automatically be executed upon checkout of the repository.Verification
use exploit/multi/http/git_lfs_clone_command_exec
run
git clone <git_repo>
Scenarios
CVE-2021-21300
Git 2.30.1 for Windows
Git 2.20.1 for MacOS
Updated Modules