README.md

This README file explains that the provided script cannot use `YAML.dump(payload)` to generate a useful payload, as it only produces a worthless YAML representation of a `Gem::Requirement` object. Instead, the script is a handcrafted conversion of the serialization produced by `Marshal.dump`, with a second version based on a more recent write-up about a universal deserialization gadget for Ruby 2.x and 3.x.

Based on excellent write-up from https://www.elttam.com.au/blog/ruby-deserialization/ Doesn't work to use YAML.dump payload in the above script. This only produces the following YAML, which is worthless: --- ruby/object:Gem::Requirement requirements: - - " =" - ruby/object:Gem::Version version: '0' This is just a handcrafted conversion of the serialization done by Marshal.dump Second version is based on the more recent and equally excellent writup from https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html