{"id":22050313,"url":"https://github.com/klezvirus/deser-node","last_synced_at":"2025-05-08T23:22:44.917Z","repository":{"id":48074122,"uuid":"245883778","full_name":"klezVirus/deser-node","owner":"klezVirus","description":"NodeJS Deserialization Payload Generator","archived":false,"fork":false,"pushed_at":"2023-05-08T06:12:47.000Z","size":47,"stargazers_count":9,"open_issues_count":2,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-31T19:21:15.178Z","etag":null,"topics":["code-execution","deserialization","node","node-js","nodejs","rce"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/klezVirus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-08T20:33:26.000Z","updated_at":"2024-08-12T19:58:30.000Z","dependencies_parsed_at":"2024-11-30T14:21:23.104Z","dependency_job_id":"47ab812b-f874-408a-94fa-a56cf5fbce85","html_url":"https://github.com/klezVirus/deser-node","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2Fdeser-node","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2Fdeser-node/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2Fdeser-node/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2Fdeser-node/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/klezVirus","download_url":"https://codeload.github.com/klezVirus/deser-node/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253161532,"owners_count":21863756,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-execution","deserialization","node","node-js","nodejs","rce"],"created_at":"2024-11-30T14:21:06.327Z","updated_at":"2025-05-08T23:22:44.903Z","avatar_url":"https://github.com/klezVirus.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# deser-node\n\nDeser-node is a script to automatically generate serialized payloads for NodeJS driven applications, which deserialize data from user input using one of the following vulnerable module:\n\n* node-serialize\n* funcster\n* cryo\n\nThe generated payloads are designed to operate in standard RCE mode, that allows to execute system commands on the target, and in reverse-shell (rshell) mode, which is designed to obtain shell access using a non-blocking reverse TCP connection from the target to an attacker controlled machine.\n\n## Usage\n\nUsing deser-node is very straightforward::\n\n```\n$ node deser-node.js --help\nUsage: node deser-node.js -s [serializer] [options]\n\nOptions:\n --version Show version number [boolean]\n -f, --file Input file\n -m, --mode Operational mode, may be serialize or deserialize\n [choices: \"serialize\", \"deserialize\"] [default: \"serialize\"]\n -s, --serializer The serializer module to use\n [required] [choices: \"ns\", \"fstr\", \"cryo\"]\n -v, --vector The vector is command exe or reverse shell\n [choices: \"rce\", \"rshell\"]\n -c, --command The command to execute (-v rce must be used)\n -e, --encode Charencode the payload (not implemented yet)\n [choices: \"charcode\", \"b64\"]\n -H, --lhost Local listener IP (-v rshell must be used)\n -P, --lport Local listener PORT (-v rshell must be used)\n -t, --target Target machine OS, may be Win or Linux\n [choices: \"linux\", \"windows\"] [default: \"windows\"]\n -h, --help Show help [boolean]\n -p, --cryoprototype [default: \"toString\"]\n```\n\n**Attention:** Using `-m deserialize`, the serialized payload will be executed on your system!\n\n**Note:** Cryo, by default, doesn't allow for direct RCE upon deserialization, but can give an attacker RCE capabilities if a prototype method (toString, valueOf, ...) of the deserialized object is then called. For further information, consider reading the following article:\n\n* [The Big Problem of Serialisation](https://klezvirus.github.io/The_Big_Problem_of_Serialisation/)\n\n## Requirements\n\nIn order to use **deser-node**, the following node modules must be installed:\n\n```\nnpm install yargs\nnpm install node-serialize\nnpm install funcster\nnpm install cryo\n```\n\n## TODO:\n\n* Implement encoding schemes:\n - ~~base64~~\n - ~~charcode encoding~~\n - others\n\n#### References\n\n* [https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fklezvirus%2Fdeser-node","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fklezvirus%2Fdeser-node","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fklezvirus%2Fdeser-node/lists"}