CVE-2014-7205 PoC — hapi server framework for Node.js bassmaster插件代码注入漏洞

Source

https://github.com/maximilianmarx/bassmaster-rce

Associated Vulnerability

Title:hapi server framework for Node.js bassmaster插件代码注入漏洞 (CVE-2014-7205)
Description:Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.

Description

Exploiting CVE-2014-7205 by injecting arbitrary JavaScript resulting in Remote Code Execution.

Readme

# bassmaster-rce
Exploiting CVE-2014-7205 by injecting arbitrary JavaScript resulting in Remote Code Execution.

I stumbled across this [Post by LuuPhu](https://luuphu25.github.io/posts/bassmaster_nodejs_cve/) (written in viatnamese). Since I have written some code in NodeJS but never came across exploiting it, I figured why not today?

The Python PoC includes two sorts of reverse shells:
1) A simple NC reverse shell
2) A "simple" NodeJS reverse shell taken from [Riyaz Walikar's ibreak.software](https://ibreak.software/2016/08/nodejs-rce-and-a-simple-reverse-shell/)

# Disclaimer
For the sake of completeness:

All the information provided in this post is for educational purposes only. You shall not misuse the information to gain unauthorized access and/or write malicious programs. The author is not responsible for misuse of this information.

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!