https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955-Go

https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955-Go

Last synced: 3 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955-Go
• Owner: ExploitBox
• Created: 2020-11-04T16:43:04.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2020-11-04T19:09:31.000Z (almost 4 years ago)
• Last Synced: 2024-05-02T18:08:46.249Z (6 months ago)
• Language: Go
• Size: 1.26 MB
• Stars: 14
• Watchers: 3
• Forks: 5
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955-Go - (Go)

README

        
# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (Go version)

## Vulnerable: git, GitHub CLI (gh), GitHub Desktop, Visual Studio Code, SourceTree, SmartGit, GitKraken etc.

Discovered by **Dawid Golunski**

* https://legalhackers.com

* https://exploitbox.io

Tested on Windows on: 

git, GitHub CLI (gh), GitHub Desktop, Visual Studio Code, SourceTree, SmartGit, GitKraken etc.

Basically, the whole Windows dev world ;)

Check out the full advisories for details and patch information:

* https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html

* https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html

Video PoC:

* https://youtu.be/tlptOf9w274

There's also a BAT / Powershell version of this exploit in a repo with LFS enabled already:

* https://github.com/ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955

```

                        .;lc'

                    .,cdkkOOOko;.

                 .,lxxkkkkOOOO000Ol'

             .':oxxxxxkkkkOOOO0000KK0x:'

          .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.

       ':oxxxxxxxxxxo;.       .:oOKKKXXXNNNNOl.

      '';ldxxxxxdc,.              ,oOXXXNNNXd;,.

     .ddc;,,:c;.         ,c:         .cxxc:;:ox:

     .dxxxxo,     .,   ,kMMM0:.  .,     .lxxxxx:

     .dxxxxxc     lW. oMMMMMMMK  d0     .xxxxxx:

     .dxxxxxc     .0k.,KWMMMWNo :X:     .xxxxxx:

     .dxxxxxc      .xN0xxxxxxxkXK,      .xxxxxx:

     .dxxxxxc    lddOMMMMWd0MMMMKddd.   .xxxxxx:

     .dxxxxxc      .cNMMMN.oMMMMx'      .xxxxxx:

     .dxxxxxc     lKo;dNMN.oMM0;:Ok.    'xxxxxx:

     .dxxxxxc    ;Mc   .lx.:o,    Kl    'xxxxxx:

     .dxxxxxdl;. .,               .. .;cdxxxxxx:

     .dxxxxxxxxxdc,.              'cdkkxxxxxxxx:

      .':oxxxxxxxxxdl;.       .;lxkkkkkxxxxdc,.

          .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.

             .':oxxxxxxxxx.ckkkkkkkkxl,.

                 .,cdxxxxx.ckkkkkxc.

                    .':odx.ckxl,.

                        .,.'.

```

https://exploitbox.io

https://twitter.com/Exploit_Box

Stay tuned