I-Info/CVE-2020-8163

Enviroment and exploit to rce test

CVE-2020-8163

Enviroment and exploit to CVE-2020-8163 Blind remote code execution of user-provided local names in Rails < 5.0.1 and < 4.2.11.2

Pull image from dockerhub & run

docker pull iinfo/rails-cve-2020-8163:latest
docker run -d -p 4000:4000 --name rails rails-cve-2020-8163:latest

Build Enviroment by Dockerfile

1. Pull code from repo

git clone https://github.com/I-Info/CVE-2020-8163.git 
cd CVE-2020-8163

2. Run docker build

sudo docker build -t cve:2020-8163 .

3. Start server by docker

sudo docker run -d -p 4000:4000 --name cve-2020-8163 cve:2020-8163

---

Create the enviroment

1. create docker container mapping port 4000 to 8001

sudo docker run --rm -it -p 8001:4000 ruby:2.3 bash

2. update and install some tools in container

apt update && apt install unzip libz-dev libiconv-hook1 libiconv-hook-dev net-tools nodejs -y

3. get id container

sudo docker ps

4. zip and copy app to docker container

zip -r test_cve-2020-8163.zip test_cve-2020-8163/
sudo docker cp test_cve-2020-8163.zip id_container:/opt/

5. unzip and bundle app

cd opt 
unzip testapp.zip
cd test_cve-2020-8163
bundle

6. start server

bundle exec rails s -p 4000 -b '0.0.0.0'

7. if we don't want to repeat the whole process, we do a docker commit

sudo docker commit id_container name_of_commit

Exploit

1. execute exploit

ruby exploit.rb http://localhost:8001/main/index "uname -a"

2. See log to view the output