Metasploit-framework: Javascript/NodeJS based meterpreter.

An initial problem I see (this goes for BeEF as well) is that the session only stays up if the page is open. A potential solution for this would be immediately injecting a man in the browser (like the BeEF module) persistence method that would keep the session alive even if the page was closed?

Also, cross-browser compatibility is also a factor. In comparison to the other meterpreters, they can run on older platforms (like winXP, etc). So either avoiding the browser API or putting in browser recognition and implementing actions based on the browser would be the solution there, but they both sound like a pain and a _lot_ more work.

Cross-browser compatibility will be an issue, but initially let us not focus on that. Node is a language of the future. Agreed that most of the existing web applications are PHP based but as businesses are trying to get more agile and achieve scalability, they eventually will shift to Node.
Although the session persistence seems a bigger issue to me at the moment.

If I'm understanding you correctly, you want to make a NodeJS meterpreter that runs in the browser? IIRC, it's not possible to run node applications from the browser without something like browserify just because browsers don't recognize the require() method.

JavaScript is a language of the past that somehow stumbled into the future... ;) But, yeah, it's not going anywhere anytime soon, methinks...

To @cbrnrd's point, there's a distinction to make between browser-based JS and Node-based JS. I like the idea of a JS Meterpreter, just need to make sure it's clear which beast we're going for (e.g. targets NodeJS servers or targets user web browsers).

My initial idea wasn't much based on browsers. It was much like the python meterpreter.
Something like creating a payload using msfvenom and then create a listener using multi/handler and then running the payload using a command like node meterpreter.js , Which would give us a basic session.
But later @timwr suggested that we could do something like the BeEF framework to make it browser based.

So, something like this, but instead of a shell, it's a meterpreter?

Yes, the basic idea is this @cbrnrd . After achieving this we can go for other possibilities.

I'm unsure whether targetting serverside nodeJS or browser based javascript is easier, but either one would be pretty cool. Maybe just stick with nodeJS for now if it's simpler?

A NodeJS Meterpreter would probably be easier.

A web browser is not a nice place to live.

Yeah, I was thinking of the same. We should first focus on the NodeJS meterpreter and proceed with further possibilities once that's in place. @timwr @bcoles

Should we try to replicate the existing PHP meterpreter functions or should we start something from scratch? @timwr @bcoles @sempervictus

The python and PHP meterpreter code is a good starting point

Will start with those then.

updates on that? though it isn't really necessary in my mind as standard nodejs reverse shell works just fine and then you can launch meterpreter from there; tbh I don't find unix/linux meterpreter that useful

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.