CVE-2014-7205 PoC — hapi server framework for Node.js bassmaster插件代码注入漏洞

Source

https://github.com/maximilianmarx/bassmaster-rce

Associated Vulnerability

Title:hapi server framework for Node.js bassmaster插件代码注入漏洞 (CVE-2014-7205)
Description:Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.

Description

Exploiting CVE-2014-7205 by injecting arbitrary JavaScript resulting in Remote Code Execution.

Readme

# bassmaster-rce
Exploiting CVE-2014-7205 by injecting arbitrary JavaScript resulting in Remote Code Execution.

I stumbled across this [Post by LuuPhu](https://luuphu25.github.io/posts/bassmaster_nodejs_cve/) (written in viatnamese). Since I have written some code in NodeJS but never came across exploiting it, I figured why not today?

The Python PoC includes two sorts of reverse shells:
1) A simple NC reverse shell
2) A "simple" NodeJS reverse shell taken from [Riyaz Walikar's ibreak.software](https://ibreak.software/2016/08/nodejs-rce-and-a-simple-reverse-shell/)

# Disclaimer
For the sake of completeness:

All the information provided in this post is for educational purposes only. You shall not misuse the information to gain unauthorized access and/or write malicious programs. The author is not responsible for misuse of this information.

File Snapshot


 [4.0K]  /data/pocs/6896b8e2e4f9a7a222f756df0ade3337fddc8a84
├── [2.8K]  bassmaster-poc-rce.py
└── [ 854]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!