CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/windows/http/gitstack_rce.md
Views: 1904
Description
An unauthenticated remote code execution vulnerability exists in GitStack through v2.3.10. This module exploits the vulnerability by sending unauthenticated REST API requests to put the application in a vulnerable state, if needed, before sending a request to trigger the exploit. These configuration changes are undone before the module exits. The module has been tested on GitStack v2.3.10.
Vulnerable Application
In vulnerable versions of GitStack, a flaw in Authentication.class.php allows unauthenticated remote code execution since $_SERVER['PHP_AUTH_PW'] is passed directly to an exec function.
To exploit the vulnerability, the repository web interface must be enabled, a repository must exist, and a user must have access to the repository.
Note: A passwd file should be created by GitStack for local user accounts. Default location: C:\GitStack\data\passwdfile.
Verification Steps
Install a vulnerable GitStack application
./msfconsoleuse exploit/windows/http/gitstack_rceset rhost <rhost>set verbose true8run
Note: You may have to run the exploit multiple times since the powershell that is generate has to be under a certain size.