Module: Msf::Exploit::Git::SmartHttp
- Includes:
- PktLine, Remote::HttpClient
- Defined in:
- lib/msf/core/exploit/git/smart_http.rb,
lib/msf/core/exploit/git/smart_http/request.rb,
lib/msf/core/exploit/git/smart_http/response.rb
Defined Under Namespace
Constant Summary
Constants included from PktLine
PktLine::DELIM_PKT, PktLine::FLUSH_PKT, PktLine::RESPONSE_END_PKT
Instance Attribute Summary
Attributes included from Remote::HttpClient
Instance Method Summary collapse
- #agent ⇒ Object
- #client_capabilities ⇒ Object
-
#get_ref_discovery_response(request, refs) ⇒ Msf::Exploit::Git::SmartHttp::Response
This will generate a response to a ref discovery request.
-
#get_upload_pack_response(request, git_obj_list) ⇒ Msf::Exploit::Git::SmartHttp::Response
This will generate a response to an upload pack request.
- #git_pass ⇒ Object
- #git_user ⇒ Object
- #initialize(info = {}) ⇒ Object
-
#send_receive_pack_request(git_uri, ref, objects, branch_tip = '') ⇒ Object
Sends request containing Git objects to push to remote repository.
-
#send_ref_discovery_request(git_uri) ⇒ Response
Sends the initial Git request for a Git push.
-
#send_upload_pack_request(git_uri) ⇒ Response
Sends the initial Git request for a Git clone.
-
#send_want_request(git_uri, git_objs) ⇒ Response
Sends a request containing objects client wants to the server.
- #server_capabilities(refs) ⇒ Object
Methods included from Remote::HttpClient
#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost
Methods included from Auxiliary::Report
#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot
Methods included from Metasploit::Framework::Require
optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines
Methods included from PktLine
generate_data_pkt, generate_pkt_line, get_pkt_line_data, get_pkt_lines, has_pkt_line_data?, request_ends
Instance Method Details
#agent ⇒ Object
44 45 46 47 48 49 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 44 def agent major = '2' minor = Rex::Text.rand_text_numeric(1..2) "git/#{major}.#{minor}.#{Rex::Text.rand_text_numeric(1)}" end |
#client_capabilities ⇒ Object
40 41 42 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 40 def client_capabilities "report-status side-band-64k agent=#{@git_agent}" end |
#get_ref_discovery_response(request, refs) ⇒ Msf::Exploit::Git::SmartHttp::Response
This will generate a response to a ref discovery request
152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 152 def get_ref_discovery_response(request, refs) return nil unless request opts = {} unless request.type == 'ref-discovery' opts[:code] = 403 opts[:message] = 'Forbidden' vprint_error('Invalid request type.') return Msf::Exploit::Git::SmartHttp::Response.new(opts) end resp_body = build_pkt_line_advertise(refs) return nil unless resp_body opts[:type] = 'ref-discovery' response = Msf::Exploit::Git::SmartHttp::Response.new(opts) response.body = resp_body response end |
#get_upload_pack_response(request, git_obj_list) ⇒ Msf::Exploit::Git::SmartHttp::Response
This will generate a response to an upload pack request
182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 182 def get_upload_pack_response(request, git_obj_list) request.populate_wants_haves want_list = request.wants return nil if want_list.empty? || git_obj_list.empty? opts = {} packfile_objs = [] opts[:type] = 'upload-pack' want_list.each do |sha1| git_obj_list.each { |git_obj| packfile_objs << git_obj if git_obj.sha1 == sha1 } end opts[:wants] = packfile_objs packfile = Packfile.new(nil, git_obj_list) response = Msf::Exploit::Git::SmartHttp::Response.new(opts) response.body = build_pkt_line_sideband(packfile) response end |
#git_pass ⇒ Object
29 30 31 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 29 def git_pass datastore['GitPassword'] end |
#git_user ⇒ Object
25 26 27 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 25 def git_user datastore['GitUsername'] end |
#initialize(info = {}) ⇒ Object
10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 10 def initialize(info = {}) super ([ Msf::OptString.new('GIT_URI', [ true, 'Git repository path', '' ]) ]) ([ Msf::OptString.new('GitUsername', [ false, 'The Git user name for authentication', '' ]), Msf::OptString.new('GitPassword', [ false, 'The Git password for authentication', '' ]) ]) @git_agent = agent end |
#send_receive_pack_request(git_uri, ref, objects, branch_tip = '') ⇒ Object
Sends request containing Git objects to push to remote repository
return [Response]
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 124 def send_receive_pack_request(git_uri, ref, objects, branch_tip = '') packfile = Packfile.new(nil, objects) pkt_line = build_pkt_line_receive_pack(ref, objects, branch_tip) data = pkt_line + packfile.data request_params = { 'method' => 'POST', 'uri' => normalize_uri(git_uri, 'git-receive-pack'), 'authorization' => basic_auth(git_user, git_pass), 'agent' => @git_agent, 'ctype' => 'application/x-git-receive-pack-request', 'headers' => { 'Accept' => 'application/x-git-receive-pack-result' }, 'data' => data } send_request_cgi(request_params) end |
#send_ref_discovery_request(git_uri) ⇒ Response
Sends the initial Git request for a Git push
92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 92 def send_ref_discovery_request(git_uri) puts 'sending ref discovery request' request_params = { 'method' => 'GET', 'uri' => normalize_uri(git_uri, 'info/refs'), 'agent' => @git_agent, 'vars_get' => { 'service' => 'git-receive-pack' } } response = send_request_cgi(request_params) return nil unless response return response unless response.code == 401 if git_user.empty? || git_pass.empty? raise ArgumentError, 'Credentials are needed to authenticate to Git server' end request_params.merge!('authorization' => basic_auth(git_user, git_pass)) send_request_cgi(request_params) end |
#send_upload_pack_request(git_uri) ⇒ Response
Sends the initial Git request for a Git clone
57 58 59 60 61 62 63 64 65 66 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 57 def send_upload_pack_request(git_uri) request_params = { 'method' => 'GET', 'uri' => normalize_uri(git_uri, 'info/refs'), 'vars_get' => { 'service' => 'git-upload-pack' } } send_request_cgi(request_params) end |
#send_want_request(git_uri, git_objs) ⇒ Response
Sends a request containing objects client wants to the server
74 75 76 77 78 79 80 81 82 83 84 85 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 74 def send_want_request(git_uri, git_objs) request_params = { 'method' => 'POST', 'uri' => normalize_uri(git_uri, 'git-upload-pack'), 'ctype' => 'application/x-git-upload-pack-request', 'headers' => { 'Accept' => 'application/x-git-upload-pack-result' }, 'data' => build_pkt_line_want(git_objs) } send_request_cgi(request_params) end |
#server_capabilities(refs) ⇒ Object
33 34 35 36 37 38 |
# File 'lib/msf/core/exploit/git/smart_http.rb', line 33 def server_capabilities(refs) caps = "multi_ack thin-pack side-band side-band-64k ofs-delta shallow deepen-since " caps << "deepen-not deepen-relative no-progress include-tag multi_ack_detailed allow-tip-sha1-in-want " caps << "allow-reachable-sha1-in-want no-done symref=HEAD:#{refs['HEAD']} filter object-format=sha1 " caps << "agent=#{@git_agent}" end |