Vulnerability & Exploit Database

Back to search

Metasploit Web UI Static secret_key_base Value

This module exploits the Web UI for Metasploit Community, Express and Pro where one of a certain set of Weekly Releases have been applied. These Weekly Releases introduced a static secret_key_base value. Knowledge of the static secret_key_base value allows for deserialization of a crafted Ruby Object, achieving code execution. This module is based on exploits/multi/http/rails_secret_deserialization

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/multi/http/metasploit_static_secret_key_base

Authors

  • Justin Steven
  • joernchen of Phenoelit <joernchen [at] phenoelit.de>

References

Targets

  • Automatic

Platforms

  • ruby

Architectures

  • ruby

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/metasploit_static_secret_key_base msf exploit(metasploit_static_secret_key_base) > show targets ...targets... msf exploit(metasploit_static_secret_key_base) > set TARGET <target-id> msf exploit(metasploit_static_secret_key_base) > show options ...show and set options... msf exploit(metasploit_static_secret_key_base) > exploit