GitBackdorizer is a proof of concept, fully inspired in Ulisses Castro's 50 ton of backdoors talk, that abuses the lack of user attention to steal git access credentials.
How it Works
GitBackdorizer consists of three pieces: handler, dropper and the payload.
Handler
The handler sets up a HTTP server to capture the credentials and offers a menu to configure the dropper's payload. The dropper delivery is responsability of the attacker.
Dropper
The dropper is designed to have the highest possible compatibility, avoiding any non-sh specific feature. It works by:
- Identify if the backdorized git hook is the pre-push hook or any other
- Drop the backdoorpayload to the specific hook
- Give execution permission
Payload
Payloads are also designed to have the highest possible compatibility avoiding non-sh features.There are currently two types of payload, the generic and the pre-push specific.
The generic payload tries to identify the remote type (HTTPS/SSH) by:
- Checking the current branch:
git branch --contains HEAD
- Collecting the remote name of the branch (through git config)
- Collecting the remote url of the remote name (through git config) Then it will check if url is https or ssh.
Demo
How to use gitbackdorizer to exploit user confidence and steal their credentials:
Greetz
- Ulisses Castro - 50 ton of backdoors (https://www.slideshare.net/ulissescastro/50-ton-of-backdoors)
- Giovani Silva - Wrote Infection Shell Script