A submodule to demonstrate CVE-2024-32002. Demonstrates Remote Code Execution (RCE) by loading a malicious commit hook into the .git
directory of the parent repo.
See cve-2024-32002-poc-rce for the working POC that utilises this repo.
- A malicous git hook called
post-checkout
which runs immediately after the clone completes. This git hook simply pops calc in Windows or MacOS. - The git hook is located under notexists/hooks for good reason:
- notexists is needed to make sure the repo clones into an empty directory.
- hooks is the directory that git looks for git hooks to execute.