ØxOPOSɆC Mɇɇtuᵽ - [INIT] - The Gathering
Renato Rodrigues - @SiMpS0N- 11-02-2016
Step In
SSJS Injection
NODE BLEED
What is NodeJS?
aka
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient.
Node.js is a runtime environment for running JavaScript application outside the browser, so, JavaScript on the server-side.
SSJS Injection
Server-Side JavaScript Injection
In short it's like a Cross-Site Scripting (XSS), our code will land on the server and we hope to get an execution sink.
In the end of the day it's all about:
eval()
The eval() function evaluates or executes an argument. If the argument is an expression, eval() evaluates the expression. If the argument is one or more JavaScript statements, eval() executes the statements.
Reference: http://www.w3schools.com/jsref/jsref_eval.asp
Why people use eval in 2016
Convert JSON text into an Object
Make logic flows
var jsondata = eval("("+JSON-String+")");...
xhReq.onreadystatechange = function()
{
if (xhReq.readyState == 4)
{
if(passReply)
{
if(asXML)
{
eval(callback + "(xhReq.responseXML);");
}else{
eval(callback + "(xhReq.responseText);");
}
}else{
eval(callback + "();");
}
}
}
xhReq.send(null);
...But Remember eval is not alone
($=>{return inj})()
new Promise($=>inj)
function a(a=inj){}; a();
To schedule execution of a one-time callback after delay milliseconds. Optionally you can also pass arguments to the callback.
setTimeout(inj,delay)
To schedule the repeated execution of callback every delay milliseconds. Optionally you can also pass arguments to the callback.
setInterval(inj,delay)
Reference: https://millermedeiros.github.io/mdoc/examples/node_api/doc/timers.html
Hands On
eval() is our friend and JSON just came along.
😈
https://gist.github.com/Simpsonpt/ed4f6cf8ebe269ba29d7
Node Bleed
Node Process Memory Disclosure
Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
Reference: http://heartbleed.com/
Tell me more
Today, the Node.js Buffer constructor is overloaded to handle many different argument types like String, Array, Object, TypedArrayView (Uint8Array, etc.), ArrayBuffer, and also Number. The API is optimized for convenience: you can throw any type at it, and it will try to do what you want.
Raw data is stored in instances of the Buffer class. A Buffer is similar to an array of integers but corresponds to a raw memory allocation outside the V8 heap. A Buffer cannot be resized. The Buffer object is global.
Buffers
But what happens if we call with a Number Argument?
new Buffer()Reference: https://github.com/nodejs/node/issues/4660
Hands On
Abusing Buffer API for fun and profit.
😈
https://gist.github.com/Simpsonpt/ed4f6cf8ebe269ba29d7
Thank you!
😇