Exploitation Summary
EIP tracks 4 public exploits for CVE-2014-7205.
PoCs published by Metasploit, maximilianmarx, AndrewTrube, including Metasploit module exploits/multi/http/bassmaster_js_injection.
AI-analyzed exploit summary This Metasploit module exploits an unauthenticated JavaScript injection vulnerability in the Bassmaster nodejs plugin for hapi. It leverages the batch endpoint to execute arbitrary JavaScript code via eval, leading to remote code execution.
Description
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.
Exploits (4)
This Metasploit module exploits an unauthenticated JavaScript injection vulnerability in the Bassmaster nodejs plugin for hapi. It leverages the batch endpoint to execute arbitrary JavaScript code via eval, leading to remote code execution.
This repository contains a Python-based PoC for CVE-2014-7205, exploiting a JavaScript injection vulnerability in Bassmaster to achieve Remote Code Execution (RCE). The exploit sends a crafted payload to the target's batch endpoint, injecting a NodeJS reverse shell or a netcat-based shell.
This repository contains a Python-based exploit for CVE-2014-7205, a Remote Code Execution (RCE) vulnerability in the Bassmaster NodeJS plugin. The exploit leverages improper input sanitization in the `eval()` function within `lib/batch.js` to execute arbitrary commands, including a reverse shell payload generated by `nodeshell.py`.
This Metasploit module exploits an unauthenticated JavaScript injection vulnerability in the bassmaster nodejs plugin for hapi, allowing remote code execution via the batch endpoint. It uses a crafted POST request to inject arbitrary JavaScript code, which then downloads and executes a payload from a controlled server.