New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancing the functionality on the nodejs shell_reverse_tcp payload. #9077
Enhancing the functionality on the nodejs shell_reverse_tcp payload. #9077
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you. Aside from the loop concern, seems rational to me. Adding to test queue.
lib/msf/core/payload/nodejs.rb
Outdated
} | ||
}); | ||
socket.on("error", function(error) { | ||
StagerRepeat(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MaxRetries should be taken into account, this will loop ad nauseum.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The loop runs like around 30+ times per second. If a MaxRetry value is specified, it will have to be in the range of ten thousands to keep the payload running for just a couple of minutes. @sempervictus
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is doing a connect outbound, so having a backoff at the least should be added, a MaxRetry
could then be set to a reasonable value as well.
Each StagerRepeat()
can be called at least a few seconds apart and multiple failures in a row should extend the delay.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not very well accustomed to the nodejs predefined functions. Is there a similar function like time.sleep() in node as there is in python? @jmartin-r7 @sempervictus
What is new?For generating the payload we can now use StagerRetryWait (for the number of seconds it has to wait until it will loop again) and StagerRetryCount (for the number of times the payload will loop). Method to generate the payload:
NOTE: The payload will loop 2 times and will wait for 15 seconds each time |
lib/msf/core/payload/nodejs.rb
Outdated
} | ||
}); | ||
var counter=0; | ||
function StagerRepeat(){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whitespace and style here is all over the place, note: "Metasploit requires spaces instead of hard tabs"
See https://github.com/rapid7/metasploit-framework/wiki/Style-Tips
I have offered a PR that I believe ends up a bit more readable and replace the hard tabs. @itsmeroy2012 take a look and merge if you are good with adjustments. I can complete testing and get this merged soon.
Adjust whitespace per desired style
The commit by @jmartin-r7 was merged. I had one question though, how many contributions does one need, to get his/her name in the Author's list of the concerned payload module? @jmartin-r7 @sempervictus |
@itsmeroy2012, payloads tend not to have authors directly associated. Any lines of code sourced from you in a PR will report in a If you have a goal of seeing your name as an author, a new module implementing a PoC for a vulnerability that does not have a module contributed by the original author is an appropriate way to reach this goal. Authors of modules are typically expanded when when an existing module can be expanded with a new vector or significantly re-implemented in a more reliable way. |
Thanks for merging this and also for answering my question. I'll keep working on the payloads and try to write a new module and hopefully get my name in the Author's list of a payload someday :) @jmartin-r7 |
Release NotesThe |
Description:
This update makes use of error handling in the NodeJs
shell_reverse_tcp
payload. Before when the server wanted to connect to the client to get a shell, the listener was required to be set up at first. This particular enhancement feature does not require the listener to be set up before the payload is executed.Previous scenario:
Creating the payload:
Executing the payload without setting up a listener or a reverse tcp handler:
After this addition:
Creating the payload:
Executing the payload:
NOTE: No Error occurs
Setting up the listener later: