CVE-2015-3224 - Dottier Emitter

Description

request.rb in Web Console before 2.1.3 as used with Ruby on Rails 3.x and 4.x does not properly restrict the use of X-Forwarded-For headers in determining a client’s IP address which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.

Reference

https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ http://openwall.com/lists/oss-security/2015/06/16/18 https://github.com/rails/web-console/blob/master/CHANGELOG.markdown http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html http://www.securityfocus.com/bid/75237

Exploit

CVE-2015-3224

Ruby-On-Rails Web Console RCE

What is this?

This is a metasploit module for Metasploit.

I already have this module.

Yes, this is packaged into metasploit. But with that module you can’t get arbitrary command execution.

I mean, you can only establish reverse/bind shell payloads with it. I needed to execute commands right to the shell. So I modified the metasploit module in a manner that it is now able to execute single commands into the system.

Good. How do I use it?

To install this module you can run the automatic installation script I developed to install it quickly to your metasploit.

./install.sh

Then the exploit will be into your metasploit framework! Just search for it using “search ruby-on-rails” or “search cve-2015-3224”

Screenshot

Author Rights

I got no rights to this CVE neither to the metasploit module itself. This is just a hack I’ve done it so it can fit into my needs and may be just what you have been looking for.