Vulnerability & Exploit Database

Back to search

Ruby on Rails Dynamic Render File Upload Remote Code Execution

This module exploits a remote code execution vulnerability in the explicit render method when leveraging user parameters. This module has been tested across multiple versions of Ruby on Rails. The technique used by this module requires the specified endpoint to be using dynamic render paths, such as the following example: def show render params[:id] end Also, the vulnerable target will need a POST endpoint for the TempFile upload, this can literally be any endpoint. This module doesnt use the log inclusion method of exploitation due to it not being universal enough. Instead, a new code injection technique was found and used whereby an attacker can upload temporary image files against any POST endpoint and use them for the inclusion attack. Finally, you only get one shot at this if you are testing with the builtin rails server, use caution.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/multi/http/rails_dynamic_render_code_exec

Authors

  • mr_me <mr_me [at] offensive-security.com>
  • John Poulin (forced-request)

References

Targets

  • Ruby on Rails 4.0.8 July 2, 2014

Platforms

  • linux
  • bsd

Architectures

  • x86

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/rails_dynamic_render_code_exec msf exploit(rails_dynamic_render_code_exec) > show targets ...targets... msf exploit(rails_dynamic_render_code_exec) > set TARGET <target-id> msf exploit(rails_dynamic_render_code_exec) > show options ...show and set options... msf exploit(rails_dynamic_render_code_exec) > exploit

Related Vulnerabilities