metasploit-framework/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient
	include Msf::Auxiliary::Scanner

	def initialize(info={})
		super(update_info(info,
			'Name'        => 'Ruby on Rails XML Processor YAML Deserialization Scanner',
			'Description' => %q{
				This module attempts to identify Ruby on Rails instances vulnerable to
				an arbitrary object instantiation flaw in the XML request processor.
			},
			'Author'      => [
					  'hdm', #author
					  'jjarmoc' #improvements
					  ],
			'License'     => MSF_LICENSE,
			'References'  =>
				[
					['CVE', '2013-0156'],
					['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156']
				]
		))

		register_options([
			OptString.new('URIPATH', [true, "The URI to test", "/"]),
			OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]),
		], self.class)
	end

	def send_probe(ptype, pdata)
		odata = %Q^<?xml version="1.0" encoding="UTF-8"?>\n<probe type="#{ptype}"><![CDATA[\n#{pdata}\n]]></probe>^
		res = send_request_cgi({
			'uri'    => datastore['URIPATH'] || "/",
			'method' => datastore['HTTP_METHOD'],
			'ctype'  => 'application/xml',
			'data'   => odata
		}, 25)
	end

	def run_host(ip)

		res1 = send_probe("string", "hello")

		unless res1
			vprint_status("#{rhost}:#{rport} No reply to the initial XML request")
			return
		end

		if res1.code.to_s =~ /^[5]/
			vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH")
			return
		end

		res2 = send_probe("yaml", "--- !ruby/object:Time {}\n")

		unless res2
			vprint_status("#{rhost}:#{rport} No reply to the initial YAML probe")
			return
		end

		res3 = send_probe("yaml", "--- !ruby/object:\x00")

		unless res3
			vprint_status("#{rhost}:#{rport} No reply to the second YAML probe")
			return
		end

		vprint_status("Probe response codes: #{res1.code} / #{res2.code} / #{res3.code}")


		if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200)
			print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML")
			report_vuln({
				:host	=> rhost,
				:port	=> rport,
				:proto  => 'tcp',
				:name	=> self.name,
				:info	=> "Module triggered a #{res3.code} reply",
				:refs   => self.references
			})
		else
			vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH & HTTP_METHOD must be set")
		end
	end

end
Add a scanner module for CVE-2013-0156 2013-01-09 18:50:38 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Scanner`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'Ruby on Rails XML Processor YAML Deserialization Scanner',`
			`'Description' => %q{`
			`This module attempts to identify Ruby on Rails instances vulnerable to`
			`an arbitrary object instantiation flaw in the XML request processor.`
			`},`
adding self to credits 2013-02-03 22:14:42 +00:00			`'Author' => [`
			`'hdm', #author`
			`'jjarmoc' #improvements`
			`],`
Add a scanner module for CVE-2013-0156 2013-01-09 18:50:38 +00:00			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['CVE', '2013-0156'],`
			`['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156']`
			`]`
			`))`

Fix up a typo 2013-01-09 19:05:27 +00:00			`register_options([`
Make HTTP_METHOD Configurable 2013-02-03 22:05:45 +00:00			`OptString.new('URIPATH', [true, "The URI to test", "/"]),`
Use OptEnum instead of OptString 2013-02-04 21:08:34 +00:00			`OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]),`
Add a scanner module for CVE-2013-0156 2013-01-09 18:50:38 +00:00			`], self.class)`
			`end`

			`def send_probe(ptype, pdata)`
			`odata = %Q^<?xml version="1.0" encoding="UTF-8"?>\n<probe type="#{ptype}"><![CDATA[\n#{pdata}\n]]></probe>^`
this rescue is done in the mixin 2013-01-09 20:28:06 +00:00			`res = send_request_cgi({`
			`'uri' => datastore['URIPATH'] \|\| "/",`
Make HTTP_METHOD Configurable 2013-02-03 22:05:45 +00:00			`'method' => datastore['HTTP_METHOD'],`
this rescue is done in the mixin 2013-01-09 20:28:06 +00:00			`'ctype' => 'application/xml',`
			`'data' => odata`
			`}, 25)`
Add a scanner module for CVE-2013-0156 2013-01-09 18:50:38 +00:00			`end`

			`def run_host(ip)`

			`res1 = send_probe("string", "hello")`

			`unless res1`
			`vprint_status("#{rhost}:#{rport} No reply to the initial XML request")`
			`return`
			`end`

Re-order probes and checks. This causes module to exit if error conditions are found, before sending unecessary probes. 2013-02-03 22:10:46 +00:00			`if res1.code.to_s =~ /^[5]/`
			`vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH")`
			`return`
			`end`

			`res2 = send_probe("yaml", "--- !ruby/object:Time {}\n")`

Add a scanner module for CVE-2013-0156 2013-01-09 18:50:38 +00:00			`unless res2`
			`vprint_status("#{rhost}:#{rport} No reply to the initial YAML probe")`
			`return`
			`end`

Re-order probes and checks. This causes module to exit if error conditions are found, before sending unecessary probes. 2013-02-03 22:10:46 +00:00			`res3 = send_probe("yaml", "--- !ruby/object:\x00")`

Add a scanner module for CVE-2013-0156 2013-01-09 18:50:38 +00:00			`unless res3`
			`vprint_status("#{rhost}:#{rport} No reply to the second YAML probe")`
			`return`
			`end`

Allow 4xx codes, display codes in verbose output 2013-02-03 22:07:07 +00:00			`vprint_status("Probe response codes: #{res1.code} / #{res2.code} / #{res3.code}")`

Add a scanner module for CVE-2013-0156 2013-01-09 18:50:38 +00:00
Allow 4xx codes, display codes in verbose output 2013-02-03 22:07:07 +00:00			`if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200)`
Add a scanner module for CVE-2013-0156 2013-01-09 18:50:38 +00:00			`print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML")`
			`report_vuln({`
			`:host => rhost,`
			`:port => rport,`
			`:proto => 'tcp',`
			`:name => self.name,`
			`:info => "Module triggered a #{res3.code} reply",`
			`:refs => self.references`
			`})`
			`else`
Re-order probes and checks. This causes module to exit if error conditions are found, before sending unecessary probes. 2013-02-03 22:10:46 +00:00			`vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH & HTTP_METHOD must be set")`
Add a scanner module for CVE-2013-0156 2013-01-09 18:50:38 +00:00			`end`
			`end`

			`end`