Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



   127

0-Day PoC - Supply Chain

by JefferyHarpe - 03 July, 2026 - 05:34 AM
This post is by a banned member (JefferyHarpe) - Unhide
13
Posts
11
Threads
3 Years of service
I won't discuss the businesses it affects publicly due to the nature.

US Primarily, but is multi-international potential.

The PoC will contain full workstation environment + files needed + proof of concept + a summary of the application reverse engineered for further analysis or understanding of everything.

This can be done / automated, but I will not provide code for this. I will however explain what you would need to accomplish for automated deployment. 

The command execution itself, is treated as a XSS through a URL parameter. Once the target machine visits the link, the link will allow for quite a few abilities such as Registry read/write, File search/read/write, Process start and more.  

I have video evidence of this + the complete workstation application(s) and scripts to prove it.

Affects at minimum 8000+ Locations. 

Selling 1 copy of it only.

Middle man is welcomed to prove any claims. Only dealing with trust middle man, and only dealing on site.

I will be removing this thread shortly as I don't want to bring to much attention to it.

It's a supply chain attack, dealing within multiple businesses that were ranked, or are ranked on Fortune 500 business list.

Currently, the only thing as I mentioned before, this requires users to click a link for example, or visit a page with pointing towards the redirect or embedding an iframe .

The Vulnerability
The application loads a page from https://localhost and uses `eval()` on a URL parameter without validation:
Code:
var userData = getQueryParam("state");
eval("var config = " + userData);

An attacker can craft a URL that injects JavaScript. The code executes with the application’s privileges – often Administrator.

Why This Is Critical
- The embedded browser has no sandbox – it runs with full system rights.
- The application provides a local REST API that exposes operations like file access, process creation, registry modification, network downloads, and system shutdown.
- These APIs are unauthenticated – any request from `localhost` is blindly trusted.

A single crafted URL lets an attacker:
- Read any file (SSH keys, credentials, configs)
- Write malicious files to startup folders
- Launch executables (`calc.exe`, `cmd.exe`, malware)
- Add persistence via registry Run keys
- Reboot or shut down the machine
- Exfiltrate data silently

Simple Proof‑of‑Concept
The attacker sends a link like:
Code:
https://localhost/vulnerable/page.htm?state=(async function(){ await api.process.create('calc.exe'); })()

When the victim clicks it, the application runs the injected JavaScript, which calls the local API to launch `calc.exe` – silently and without any further interaction.

Why This Matters
This is not a typical XSS. It’s a direct path from a browser bug to full machine compromise. The attack is stealthy, persistent, and requires only one click.


Again, I accept MM . I will provide all proof of this working. 
This only affects WINDOWS machines.

Don't miss on this. 

again, ON SITE DEALS ONLY.
This post is by a banned member (EarlHickey) - Unhide
12.608
Posts
2.547
Threads
3 Years of service
#2
Good luck
This post is by a banned member (2F4R) - Unhide
2F4R  
Supreme
19
Posts
2
Threads
#3
GLWS!  [Image: maam.gif]

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 1 Guest(s)