Backdooring Node.js Express Apps via SSJI

Wed, 01 Mar 2017 00:00:00 +0000

Updated: 2017.03.03

One of the interesting things about Node.js (server-side JavaScript) apps/APIs is that they’re event driven. As an attacker, this means there are new options for post-exploitation code execution, so I wrote a little PoC to demonstrate that.

In the scenario below, we’re going to assume we’ve already identified Server-Side JavaScript Injection (SSJI) in the app. This is not a new vulnerability in Express, but an experiment in post-exploitation. There are many posts on how to exploit SSJI in which they show how to read files with require(‘fs’).readFile or execute commands with require('child_process').spawn. But what if we could add our own event through the SSJI? We could modify the running app’s behavior without touching disk and have it harvest sensitive information or perform other nefarious activities.

Hunting Sticky Keys Backdoors

Mon, 23 Mar 2015 00:00:00 +0000

The “sticky keys” backdoor method has been a favorite for hackers for years and it’s been gaining popularity as a malware-free persistence method. This backdoor method gives an attacker pre-authentication, SYSTEM-level access to a target remotely over RDP or locally via the console.

The backdoor can be installed in one of two ways:

Copy cmd.exe over sethc.exe or utilman.exe
Set cmd.exe as the debugger for sethc.exe or utilman.exe

The sethc.exe backdoor can be triggered by pressing the shift key five times in rapid succession. The utilman.exe backdoor can be triggered by pressing windows+u.

Backdoor on Zach Grace

Backdooring Node.js Express Apps via SSJI

Hunting Sticky Keys Backdoors