CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/windows/http/git_lfs_rce.md
Views: 1904
Vulnerable Application
Git in versions <= 2.29.2 includes git-lfs extension which allows remote attackers to execute arbitrary code on the victim's Windows system upon a clone operation. Attackers are able to plant a backdoor in the root directory of a malicious repository by simply adding an executable file named git.exe or any other executable extension available on the target Windows system (PATHEXT environment variable dependent). As a result, the malicious git binary will get executed automatically instead of the original git binary located in a trusted path, when the repository is cloned.
Vulnerable Installation
Download a vulnerable version of Git for Windows: v2.28.0
On the
Select Components
section of the installer, make sure Git LFS is selected (should be by default)You should now be able to run the exploit and get a session on Windows
Verification Steps
Install the application
Start msfconsole
Do:
use exploit/multi/http/git_lfs_rce
Do:
run
Ensure the exploit sets up a repository to be cloned, ex:
http://192.168.123.1:8080/fixflex.git
From the victim machine, clone the repository created by the exploit.
You should get a shell.