Module: Msf::Exploit::Git::SmartHttp

Includes:

PktLine, Remote::HttpClient

Defined in:

lib/msf/core/exploit/git/smart_http.rb,
lib/msf/core/exploit/git/smart_http/request.rb,
lib/msf/core/exploit/git/smart_http/response.rb

Defined Under Namespace

Classes: Request, Response

Constant Summary

Constants included from PktLine

PktLine::DELIM_PKT, PktLine::FLUSH_PKT, PktLine::RESPONSE_END_PKT

Instance Attribute Summary

Attributes included from Remote::HttpClient

#client, #cookie_jar

Instance Method Summary

• #agent ⇒ Object
• #client_capabilities ⇒ Object
• #get_ref_discovery_response(request, refs) ⇒ Msf::Exploit::Git::SmartHttp::Response

  This will generate a response to a ref discovery request.

• #get_upload_pack_response(request, git_obj_list) ⇒ Msf::Exploit::Git::SmartHttp::Response

  This will generate a response to an upload pack request.

• #git_pass ⇒ Object
• #git_user ⇒ Object
• #initialize(info = {}) ⇒ Object
• #send_receive_pack_request(git_uri, ref, objects, branch_tip = '') ⇒ Object

  Sends request containing Git objects to push to remote repository.

• #send_ref_discovery_request(git_uri) ⇒ Response

  Sends the initial Git request for a Git push.

• #send_upload_pack_request(git_uri) ⇒ Response

  Sends the initial Git request for a Git clone.

• #send_want_request(git_uri, git_objs) ⇒ Response

  Sends a request containing objects client wants to the server.

• #server_capabilities(refs) ⇒ Object

Methods included from Remote::HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::LoginScanner

#configure_login_scanner

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from PktLine

generate_data_pkt, generate_pkt_line, get_pkt_line_data, get_pkt_lines, has_pkt_line_data?, request_ends

Instance Method Details

#agent ⇒ Object

# File 'lib/msf/core/exploit/git/smart_http.rb', line 44

def agent
  major = '2'
  minor = Rex::Text.rand_text_numeric(1..2)

  "git/#{major}.#{minor}.#{Rex::Text.rand_text_numeric(1)}"
end

#client_capabilities ⇒ Object

# File 'lib/msf/core/exploit/git/smart_http.rb', line 40

def client_capabilities
  "report-status side-band-64k agent=#{@git_agent}"
end

#get_ref_discovery_response(request, refs) ⇒ Msf::Exploit::Git::SmartHttp::Response

This will generate a response to a ref discovery request

Parameters:

• request (Msf::Exploit::Git::SmartHttp::Request) —

  received from Git client

• Hash (Hash) —

  of repo references

Returns:

• (Msf::Exploit::Git::SmartHttp::Response) —

  nil if response cannot be created

# File 'lib/msf/core/exploit/git/smart_http.rb', line 152

def get_ref_discovery_response(request, refs)
  return nil unless request

  opts = {}
  unless request.type == 'ref-discovery'
    opts[:code] = 403
    opts[:message] = 'Forbidden'
    vprint_error('Invalid request type.')
    return Msf::Exploit::Git::SmartHttp::Response.new(opts)
  end

  resp_body = build_pkt_line_advertise(refs)
  return nil unless resp_body

  opts[:type] = 'ref-discovery'
  response = Msf::Exploit::Git::SmartHttp::Response.new(opts)
  response.body = resp_body

  response
end

#get_upload_pack_response(request, git_obj_list) ⇒ Msf::Exploit::Git::SmartHttp::Response

This will generate a response to an upload pack request

Parameters:

• request (Msf::Exploit::Git::SmartHttp::Request) —

  received from Git client

• list (Array) —

  of Git objects in repo to send

Returns:

• (Msf::Exploit::Git::SmartHttp::Response) —

  nil if response cannot be created

# File 'lib/msf/core/exploit/git/smart_http.rb', line 182

def get_upload_pack_response(request, git_obj_list)
  request.populate_wants_haves
  want_list = request.wants
  return nil if want_list.empty? || git_obj_list.empty?

  opts = {}
  packfile_objs = []
  opts[:type] = 'upload-pack'
  want_list.each do |sha1|
    git_obj_list.each { |git_obj| packfile_objs << git_obj if git_obj.sha1 == sha1 }
  end

  opts[:wants] = packfile_objs
  packfile = Packfile.new(nil, git_obj_list)
  response = Msf::Exploit::Git::SmartHttp::Response.new(opts)
  response.body = build_pkt_line_sideband(packfile)

  response
end

#git_pass ⇒ Object

# File 'lib/msf/core/exploit/git/smart_http.rb', line 29

def git_pass
  datastore['GitPassword']
end

#git_user ⇒ Object

# File 'lib/msf/core/exploit/git/smart_http.rb', line 25

def git_user
  datastore['GitUsername']
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/exploit/git/smart_http.rb', line 10

def initialize(info = {})
  super

  register_options([
    Msf::OptString.new('GIT_URI', [ true, 'Git repository path', '' ])
  ])

  register_advanced_options([
    Msf::OptString.new('GitUsername', [ false, 'The Git user name for authentication', '' ]),
    Msf::OptString.new('GitPassword', [ false, 'The Git password for authentication', '' ])
  ])

  @git_agent = agent
end

#send_receive_pack_request(git_uri, ref, objects, branch_tip = '') ⇒ Object

Sends request containing Git objects to push to remote repository

return [Response]

Parameters:

• URI (String) —

  of Git repository to push to

• Name (String) —

  of ref that commits will be pushed to, ex, refs/heads/master

• Git (Array) —

  objects to push to remote repo

• The (String) —

  branch tip of the remote repository

# File 'lib/msf/core/exploit/git/smart_http.rb', line 124

def send_receive_pack_request(git_uri, ref, objects, branch_tip = '')
  packfile = Packfile.new(nil, objects)
  pkt_line = build_pkt_line_receive_pack(ref, objects, branch_tip)
  data = pkt_line + packfile.data

  request_params =
  {
    'method' => 'POST',
    'uri' => normalize_uri(git_uri, 'git-receive-pack'),
    'authorization' => basic_auth(git_user, git_pass),
    'agent' => @git_agent,
    'ctype'  =>  'application/x-git-receive-pack-request',
    'headers' => { 'Accept' =>  'application/x-git-receive-pack-result' },
    'data' => data
  }

  send_request_cgi(request_params)
end

#send_ref_discovery_request(git_uri) ⇒ Response

Sends the initial Git request for a Git push

Parameters:

• the (String) —

  uri to the Git repo

Returns:

• (Response)

# File 'lib/msf/core/exploit/git/smart_http.rb', line 92

def send_ref_discovery_request(git_uri)
  puts 'sending ref discovery request'
  request_params =
  {
    'method' => 'GET',
    'uri' => normalize_uri(git_uri, 'info/refs'),
    'agent' => @git_agent,
    'vars_get' => { 'service' => 'git-receive-pack' }
  }

  response = send_request_cgi(request_params)
  return nil unless response

  return response unless response.code == 401
  if git_user.empty? || git_pass.empty?
    raise ArgumentError, 'Credentials are needed to authenticate to Git server'
  end

  request_params.merge!('authorization' => basic_auth(git_user, git_pass))
  send_request_cgi(request_params)
end

#send_upload_pack_request(git_uri) ⇒ Response

Sends the initial Git request for a Git clone

Parameters:

• the (String) —

  uri to the Git repo

Returns:

• (Response)

# File 'lib/msf/core/exploit/git/smart_http.rb', line 57

def send_upload_pack_request(git_uri)
  request_params =
  {
    'method' => 'GET',
    'uri' => normalize_uri(git_uri, 'info/refs'),
    'vars_get' => { 'service' => 'git-upload-pack' }
  }

  send_request_cgi(request_params)
end

#send_want_request(git_uri, git_objs) ⇒ Response

Sends a request containing objects client wants to the server

Parameters:

• the (String) —

  uri to the Git repo

Returns:

• (Response)

# File 'lib/msf/core/exploit/git/smart_http.rb', line 74

def send_want_request(git_uri, git_objs)
  request_params =
  {
    'method' => 'POST',
    'uri' => normalize_uri(git_uri, 'git-upload-pack'),
    'ctype'  =>  'application/x-git-upload-pack-request',
    'headers' => { 'Accept' =>  'application/x-git-upload-pack-result' },
    'data' => build_pkt_line_want(git_objs)
  }

  send_request_cgi(request_params)
end

#server_capabilities(refs) ⇒ Object

# File 'lib/msf/core/exploit/git/smart_http.rb', line 33

def server_capabilities(refs)
  caps = "multi_ack thin-pack side-band side-band-64k ofs-delta shallow deepen-since "
  caps << "deepen-not deepen-relative no-progress include-tag multi_ack_detailed allow-tip-sha1-in-want "
  caps << "allow-reachable-sha1-in-want no-done symref=HEAD:#{refs['HEAD']} filter object-format=sha1 "
  caps << "agent=#{@git_agent}"
end