From df49345f5da0e99d10c1958469c826708dc189ff Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Tue, 27 Mar 2018 12:59:49 -0500 Subject: [PATCH] Update gitstack_rce.md --- .../exploit/windows/http/gitstack_rce.md | 27 ++++++++++++------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/documentation/modules/exploit/windows/http/gitstack_rce.md b/documentation/modules/exploit/windows/http/gitstack_rce.md index 11fe5ff70d..8e486bab88 100644 --- a/documentation/modules/exploit/windows/http/gitstack_rce.md +++ b/documentation/modules/exploit/windows/http/gitstack_rce.md @@ -1,25 +1,32 @@ ## Description -An unauthenticated remote code execution vulnerability exists in GitStack through v2.3.10. This module exploits the vulnerability by sending unauthenticated REST API requests to put the application in a vulnerable state, if needed, before sending a request to trigger the exploit. These configuration changes are undone before the module exits. The module has been tested on GitStack v2.3.10. +An unauthenticated remote code execution vulnerability exists in GitStack through v2.3.10. This +module exploits the vulnerability by sending unauthenticated REST API requests to put the +application in a vulnerable state, if needed, before sending a request to trigger the exploit. +These configuration changes are undone before the module exits. The module has been tested on +GitStack v2.3.10. ## Vulnerable Application In vulnerable versions of GitStack, a flaw in `Authentication.class.php` allows [unauthenticated remote code execution](https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html) since `$_SERVER['PHP_AUTH_PW']` is passed directly to an `exec` function. -To exploit the vulnerability, the repository web interface must be enabled, a repository must exist, and a user must have access to the repository. +To exploit the vulnerability, the repository web interface must be enabled, a repository must +exist, and a user must have access to the repository. -Note: A passwd file should be created by GitStack for local user accounts. Default location: `C:\GitStack\data\passwdfile`. +Note: A passwd file should be created by GitStack for local user accounts. +Default location: `C:\GitStack\data\passwdfile`. ## Verification Steps -- [ ] Install a vulnerable GitStack application -- [ ] `./msfconsole` -- [ ] `use exploit/windows/http/gitstack_rce` -- [ ] `set rhost ` -- [ ] `set verbose true` -- [ ] `run` +* Install a vulnerable GitStack application +* `./msfconsole` +* `use exploit/windows/http/gitstack_rce` +* `set rhost ` +* `set verbose true` +8 `run` -Note: You may have to run the exploit multiple times since the powershell that is generate has to be under a certain size. +Note: You may have to run the exploit multiple times since the powershell that is generate has to +be under a certain size. ## Scenarios