jscythe: execute arbitrary javascript code
jscythe
jscythe abuses the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code, even if their debugging capabilities are disabled.
Tested and working against Visual Studio Code, Discord, any Node.js application, and more!
How
- Locate the target process.
- Send SIGUSR1 signal to the process, this will enable the debugger on a port (depending on the software, sometimes it’s random, sometimes it’s not).
- Determine debugging port by diffing open ports before and after sending SIGUSR1.
- Get the websocket debugging URL and session id from http://localhost:<port>/json.
- Send a Runtime.evaluate request with the provided code.
- Profit.
Running
Target a specific process and execute a basic expression:
./target/debug/jscythe –pid 666 –code “5 – 3 + 2“
Execute code from a file:
./target/debug/jscythe –pid 666 –script example_script.js
The example_script.js can require any node module and execute any code, like:
require(‘child_process’).spawnSync(‘/System/Applications/Calculator.app/Contents/MacOS/Calculator’, { encoding : ‘utf8’ }).stdout
Search process by the expression:
./target/debug/jscythe –search extensionHost –script example_script.js
Install
Copyright (C) 2022 @evilsocket
