This repository contains a Proof of Concept (PoC) for CVE-2024-32002, a Remote Code Execution (RCE) vulnerability in Git submodules. The exploit demonstrates how a malicious payload can be triggered via a recursive clone of a Git repository.
Before running the PoC, create the following repositories on your remote Git server or feel free to change the names as needed:
hulk.gitsubmod.gitsmash.git
Update the repository paths in the PoC script accordingly if you change the names.
The exploit leverages Git submodules to execute a payload on the target system when the repository is cloned recursively. This PoC is tested on macOS.
HULK_REPO="git@github.com:safebuffer/hulk.git"
pullme_REPO="git@github.com:safebuffer/submod.git"
# Final Exploit Repo
SMASH_REPO="git@github.com:safebuffer/smash.git"To trigger the exploit, run the poc.sh script and then execute the following command:
git clone --recursive $SMASH_REPOThe default payload in this PoC opens the Calculator application on macOS. You can change this to any payload of your choice.
/System/Applications/Calculator.app/Contents/MacOS/CalculatorThis PoC is for educational purposes only. Use it responsibly and only on systems where you have explicit permission to test. Misuse of this PoC can result in severe consequences.