From 810470de3bcb9d7719994e4b8de24d30e3c7721a Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Sun, 3 Feb 2013 16:05:45 -0600 Subject: [PATCH 1/5] Make HTTP_METHOD Configurable --- modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb index 900b8f3313..c9907e5adb 100644 --- a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb @@ -29,7 +29,8 @@ class Metasploit3 < Msf::Auxiliary )) register_options([ - OptString.new('URIPATH', [true, "The URI to test", "/"]) + OptString.new('URIPATH', [true, "The URI to test", "/"]), + OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) ], self.class) end @@ -37,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary odata = %Q^\n^ res = send_request_cgi({ 'uri' => datastore['URIPATH'] || "/", - 'method' => 'POST', + 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/xml', 'data' => odata }, 25) From 8dff42777695ba10e9012960b1f3aa8045134bfe Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Sun, 3 Feb 2013 16:07:07 -0600 Subject: [PATCH 2/5] Allow 4xx codes, display codes in verbose output --- modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb index c9907e5adb..64d25eb520 100644 --- a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb @@ -65,11 +65,13 @@ class Metasploit3 < Msf::Auxiliary return end - if res1.code.to_s =~ /^[45]/ + vprint_status("Probe response codes: #{res1.code} / #{res2.code} / #{res3.code}") + + if res1.code.to_s =~ /^[5]/ vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH") end - if res2.code.to_s =~ /^[23]/ and res3.code != res2.code and res3.code != 200 + if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200) print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML") report_vuln({ :host => rhost, From 57c8e41846615393e0c521645e0ad51e61a49a8b Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Sun, 3 Feb 2013 16:10:46 -0600 Subject: [PATCH 3/5] Re-order probes and checks. This causes module to exit if error conditions are found, before sending unecessary probes. --- .../scanner/http/rails_xml_yaml_scanner.rb | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb index 64d25eb520..e55f6f571d 100644 --- a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb @@ -47,19 +47,26 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) res1 = send_probe("string", "hello") - res2 = send_probe("yaml", "--- !ruby/object:Time {}\n") - res3 = send_probe("yaml", "--- !ruby/object:\x00") unless res1 vprint_status("#{rhost}:#{rport} No reply to the initial XML request") return end + if res1.code.to_s =~ /^[5]/ + vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH") + return + end + + res2 = send_probe("yaml", "--- !ruby/object:Time {}\n") + unless res2 vprint_status("#{rhost}:#{rport} No reply to the initial YAML probe") return end + res3 = send_probe("yaml", "--- !ruby/object:\x00") + unless res3 vprint_status("#{rhost}:#{rport} No reply to the second YAML probe") return @@ -67,9 +74,6 @@ class Metasploit3 < Msf::Auxiliary vprint_status("Probe response codes: #{res1.code} / #{res2.code} / #{res3.code}") - if res1.code.to_s =~ /^[5]/ - vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH") - end if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200) print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML") @@ -82,7 +86,7 @@ class Metasploit3 < Msf::Auxiliary :refs => self.references }) else - vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH must be set") + vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH & HTTP_METHOD must be set") end end From 5e0c18af2fcd5fddbabdd42305bef0dda51e48a4 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Sun, 3 Feb 2013 16:14:42 -0600 Subject: [PATCH 4/5] adding self to credits --- modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb index e55f6f571d..7df91ce063 100644 --- a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb @@ -19,7 +19,10 @@ class Metasploit3 < Msf::Auxiliary This module attempts to identify Ruby on Rails instances vulnerable to an arbitrary object instantiation flaw in the XML request processor. }, - 'Author' => 'hdm', + 'Author' => [ + 'hdm', #author + 'jjarmoc' #improvements + ], 'License' => MSF_LICENSE, 'References' => [ From 39cafd0cdeaf949b85f4d2a6a6881ff61238ca09 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc Date: Mon, 4 Feb 2013 15:08:34 -0600 Subject: [PATCH 5/5] Use OptEnum instead of OptString --- modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb index 7df91ce063..8eb9e1ce59 100644 --- a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary register_options([ OptString.new('URIPATH', [true, "The URI to test", "/"]), - OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) + OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]), ], self.class) end