This Metasploit module implements remote command execution on Ruby on Rails applications. Prerequisite is knowledge of the "secret_token" (Rails 2/3) or "secret_key_base" (Rails 4). The values for those can be usually found in the file "RAILS_ROOT/config/initializers/secret_token.rb". The module achieves RCE by deserialization of a crafted Ruby Object.
11be9f012016644efb3d2156025a67454ab17fda375b0d1a9de05a368b0ca5e5