mccabe615

Status #rubygemsX
[Status: @rubygems_status and http://status.rubygems.org | RubyGems 1.8.24 | http://rubygems.org/ | Idle for answers if it's not Pacific Time daytime]
[14:29] == Nilla_ [429948b1@gateway/web/freenode/ip.66.153.72.177] has joined #rubygems
[14:29] <mephux> wlll: it's a huge concern but once we do some forensics we'll know 100%
[14:29] == withloudhands [[email protected]] has joined #rubygems
[14:29] <Defiler> evan: I was thinking about adding a type whitelist to the YAML deserialization in rubygems; does that conflict with any of today's ongoing work?
[14:30] <benchMark> evan: Did you guys delete the exploit gem?
[14:30] <benchMark> I was expecting to see that in my grep.
[14:30] == nhocki_ [12bd2d9d@gateway/web/freenode/ip.18.189.45.157] has joined #rubygems

mccabe615

#!/usr/bin/env ruby
#
# Proof-of-Concept RCE exploit against Gemcutter
#
# ## Advisory
#
# ## Caveats
#
# ## Synopsis
#

mccabe615

# Fork of MessageVerifier from Rails 3.2.3
# https://raw.github.com/rails/rails/f3e1b21ca91afbd97f33d1e51808dd320d82b4de/activesupport/lib/active_support/message_verifier.rb
# Author: Jeff Yip (jeffyip)
# This should work with Rails 3.0 - Rails 3.2

require 'active_support/base64'
require 'active_support/deprecation'
require 'active_support/core_ext/object/blank'

module ActiveSupport

mccabe615

window:
window["alert"]("ISR")
window["ale"+(!![]+[])[-~[]]+(!![]+[])[+[]]]()
window["ale"+"\x72\x74"]()
window["\x61\x6c\x65\x72\x74"]()
window['ale'+(!![]+[])[-~[]]+(!![]+[])[+[]]]()
window['ale'+'\x72\x74']()
window['\x61\x6c\x65\x72\x74']()
window[(+{}+[])[-~[]]+(![]+[])[-~-~[]]+([][+[]]+[])[-~-~-~[]]+(!![]+[])[-~[]]+(!![]+[])[+[]]]((-~[]+[]))
window[(+{}+[])[+!![]]+(![]+[])[!+[]+!![]]+([][+[]]+[])[!+[]+!![]+!![]]+(!![]+[])[+!![]]+(!![]+[])[+[]]]

mccabe615

Genymotion is a Virtual Android Environment built on x86 and Virtualbox. It's not an ARM emulator so it's performance is way better than the Android SDK Emulator. However in their latest update they've removed both ARM Translation and Google Play Apps. (This is what causes the "INSTALL_FAILED_CPU_ABI_INCOMPATIBLE" errors) Many Devs and Users still find these features very useful for various reasons and their removal has forced people to look for alternatives to Genymotion.

This guide is for getting back both ARM Translation and Google Play apps in your Genymotion VM.

UPDATE-v1.1: I've gotten more up-to-date builds of libhoudini and have updated the ZIP. This fixes a lot of app crashes and hangs. Just flash the new one and it should work.
Download the following ZIPs:
ARM Translation Installer v1.1 - http://goo.gl/JBQmPa(Mirrors) ON DROPBOX
Download the correct GApps for your Android version:
Google Apps for Android 4.3 - http://goo.im/gapps/gapps-jb-20130813-signed.zip ON DROPBOX
Google Apps for Android 4.2 

mccabe615

56k: "https://123.campfirenow.com/images/56k.gif"
bell: ":bell:"
bezos: ":laughing::thought_balloon:"
bueller: "anyone?"
clowntown: "https://123.campfirenow.com/images/clowntown.gif"
cottoneyejoe: ":notes::hear_no_evil::notes:"
crickets: "hears crickets chirping"
dadgummit: "dad gummit!! :fishing_pole_and_fish:"
dangerzone: "https://123.campfirenow.com/images/dangerzone.png"
danielsan: ":fireworks: :trophy: :fireworks:"

mccabe615

##OWASP Top Ten##

###A1 Injection###

mccabe615

// IHttpListener  
@Override  
public void processHttpMessage(int toolFlag, boolean messageIsRequest, IHttpRequestResponse messageInfo)

mccabe615

toolFlag - used to determine which tool in Burp the request is coming from. In our case the tool flag for Intruder is 32.
messageIsRequest - this boolean value will be true for a message request and false for a message response
messageInfo - this holds the full data of the message itself
byte[] request_byte = messageInfo.getRequest();
IParameter sig_param = helpers.getRequestParameter(request_byte, "signature");

mccabe615

if (toolFlag == 32 messageIsRequest !sig_param.equals(null))
{
String param1 = helpers.getRequestParameter(request_byte, "param1").getValue();
String param2 = helpers.getRequestParameter(request_byte, "param2").getValue();
String param3 = helpers.getRequestParameter(request_byte, "param3").getValue();