Ruby on Rails Dynamic Render File Upload Remote Code Execution
This module exploits a remote code execution vulnerability in the explicit render method when leveraging user parameters. This module has been tested across multiple versions of Ruby on Rails. The technique used by this module requires the specified endpoint to be using dynamic render paths, such as the following example: def show render params[:id] end Also, the vulnerable target will need a POST endpoint for the TempFile upload, this can literally be any endpoint. This module doesnt use the log inclusion method of exploitation due to it not being universal enough. Instead, a new code injection technique was found and used whereby an attacker can upload temporary image files against any POST endpoint and use them for the inclusion attack. Finally, you only get one shot at this if you are testing with the builtin rails server, use caution.
- mr_me <mr_me [at] offensive-security.com>
- John Poulin (forced-request)
- Ruby on Rails 4.0.8 July 2, 2014
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/rails_dynamic_render_code_exec msf exploit(rails_dynamic_render_code_exec) > show targets ...targets... msf exploit(rails_dynamic_render_code_exec) > set TARGET <target-id> msf exploit(rails_dynamic_render_code_exec) > show options ...show and set options... msf exploit(rails_dynamic_render_code_exec) > exploit