Enviroment and exploit to CVE-2020-8163 Blind remote code execution of user-provided local names in Rails < 5.0.1 and < 4.2.11.2
- create docker container mapping port 4000 to 8001
sudo docker run --rm -it -p 8001:4000 ruby:2.3 bash
- update and install some tools in container
apt update && apt install unzip libz-dev libiconv-hook1 libiconv-hook-dev net-tools nodejs -y
- get id container
sudo docker ps
- zip and copy app to docker container
zip -r test_cve-2020-8163.zip test_cve-2020-8163/
sudo docker cp test_cve-2020-8163.zip id_container:/opt/
- unzip and bundle app
cd opt
unzip testapp.zip
cd test_cve-2020-8163
bundle
- start server
bundle exec rails s -p 4000 -b '0.0.0.0'
- if we don't want to repeat the whole process, we do a docker commit
sudo docker commit id_container name_of_commit
- execute exploit
ruby exploit.rb http://localhost:8001/main/index "uname -a"
- See log to view the output