![]() ![]() ![]() ![]() The actual command to execute is in the git_set ruby r.rb These don’t matter, they simply need to be valid Yaml. For these to actually be loaded/deserialized, they need to have data, thus the i: x and i: y. To accomplish this, they are added as ruby objects at the start of the yaml payload. The one interesting part is that the payload needs to include both Gem::Installer and Gem::SpecFetcher to ensure all the required classes are loaded by the autoloader. The new payload is pretty straight forward and easy to understand. In this instance I’m not going to go through the whole process of getting to this, since it was almost identical to the process covered in my previous post. ![]() Īs with the previous gadget I wanted to make this exploitable via YAML.load. His write-up for this is excellent and I highly recommend you give it a read. Fortunately, William Bowling (vakzz) has found a new gadget chain that works on all Ruby versions 2.x - 3.x. This has since been patched and no longer works on Ruby versions after 2.7.2 and Rails 6.1. A couple of years ago I wrote a universal YAML.load deserialization RCE gadget based on the work by Luke Jahnke from elttam. ![]()
0 Comments
Leave a Reply. |