漏洞平台

POC详情： f2784150912427fdc056ce5ca413e465fbd2afda

来源

https://github.com/HK69s/CVE-2020-27955

关联漏洞

标题： Git Lfs代码问题漏洞 (CVE-2020-27955)
描述：Git Lfs是Git Lfs团队的一个用于git项目中处理大文件的命令行工具。 Git LFS 2.12.0版本存在代码问题漏洞，该漏洞可造成远程代码执行的危害。

描述

CVE-2020-27955

介绍

# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.bat / powershell version)
## Vulnerable: git, GitHub CLI (gh), GitHub Desktop, Visual Studio Code, SourceTree, SmartGit, GitKraken etc.

Discovered by **Dawid Golunski**
* https://legalhackers.com
* https://exploitbox.io

Tested on Windows on: 

git, GitHub CLI (gh), GitHub Desktop, Visual Studio Code, SourceTree, SmartGit, GitKraken etc.

Basically, the whole Windows dev world ;)

Check out the full advisories for details and patch information:

* https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html
* https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html

Video PoC:
* https://youtu.be/tlptOf9w274

There's also a Go version of this exploit:
* https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955-Go

```

                        .;lc'
                    .,cdkkOOOko;.
                 .,lxxkkkkOOOO000Ol'
             .':oxxxxxkkkkOOOO0000KK0x:'
          .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
       ':oxxxxxxxxxxo;.       .:oOKKKXXXNNNNOl.
      '';ldxxxxxdc,.              ,oOXXXNNNXd;,.
     .ddc;,,:c;.         ,c:         .cxxc:;:ox:
     .dxxxxo,     .,   ,kMMM0:.  .,     .lxxxxx:
     .dxxxxxc     lW. oMMMMMMMK  d0     .xxxxxx:
     .dxxxxxc     .0k.,KWMMMWNo :X:     .xxxxxx:
     .dxxxxxc      .xN0xxxxxxxkXK,      .xxxxxx:
     .dxxxxxc    lddOMMMMWd0MMMMKddd.   .xxxxxx:
     .dxxxxxc      .cNMMMN.oMMMMx'      .xxxxxx:
     .dxxxxxc     lKo;dNMN.oMM0;:Ok.    'xxxxxx:
     .dxxxxxc    ;Mc   .lx.:o,    Kl    'xxxxxx:
     .dxxxxxdl;. .,               .. .;cdxxxxxx:
     .dxxxxxxxxxdc,.              'cdkkxxxxxxxx:
      .':oxxxxxxxxxdl;.       .;lxkkkkkxxxxdc,.
          .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
             .':oxxxxxxxxx.ckkkkkkkkxl,.
                 .,cdxxxxx.ckkkkkxc.
                    .':odx.ckxl,.
                        .,.'.
```

* https://exploitbox.io
* https://twitter.com/Exploit_Box


Stay tuned

文件快照


 [4.0K]  /data/pocs/f2784150912427fdc056ce5ca413e465fbd2afda
├── [  16]  big-bug-lfs-file.dat
├── [1.8K]  git.bat
├── [1.9K]  README.md
└── [ 499]  revsh_powersh.ps1

0 directories, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。