CVE-2018-1000006 PoC — GitHub Electron 安全漏洞

Source

https://github.com/CHYbeta/CVE-2018-1000006-DEMO

Associated Vulnerability

Title:GitHub Electron 安全漏洞 (CVE-2018-1000006)
Description:GitHub Electron是美国GitHub公司的一个应用程序开发框架。该框架支持使用JavaScript、HTML和CSS编写跨平台桌面应用程序。 GitHub Electron 1.8.2-beta.3及之前版本、1.7.10及之前版本和1.6.15及之前版本中的protocol handler存在安全漏洞。攻击者可借助特制的URL利用该漏洞执行任意命令。

Description

The Demo for CVE-2018-1000006

Readme

# CVE-2018-1000006-DEMO
The Demo for CVE-2018-1000006

# Analysis
[Electron < v1.8.2-beta.4 远程命令执行漏洞—【CVE-2018-1000006】](https://xianzhi.aliyun.com/forum/topic/1990)

# POC
可以直接使用 elec_rce\elec_rce-win32-x64\elec_rce.exe

也可以自己打包成exe应用,生成有漏洞的版本应用，以版本1.7.8为例：
```
electron-packager ./test elec_rce --win --out ./elec_rce --arch=x64 --version=0.0.1 --electron-version=1.7.8 --download.mirror=https://npm.taobao.org/mirrors/electron/
```

![](https://github.com/CHYbeta/chybeta.github.io/blob/master/images/pic/20180124/3.jpg?raw=true)

File Snapshot


 [4.0K]  /data/pocs/c1f824ba1d84737d51153cbb0f77988e29cc21f6
├── [4.0K]  elec_rce
│   └── [4.0K]  elec_rce-win32-x64
│       ├── [ 19K]  api-ms-win-core-console-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-datetime-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-debug-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-errorhandling-l1-1-0.dll
│       ├── [ 22K]  api-ms-win-core-file-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-file-l1-2-0.dll
│       ├── [ 18K]  api-ms-win-core-file-l2-1-0.dll
│       ├── [ 18K]  api-ms-win-core-handle-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-heap-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-interlocked-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-core-libraryloader-l1-1-0.dll
│       ├── [ 21K]  api-ms-win-core-localization-l1-2-0.dll
│       ├── [ 19K]  api-ms-win-core-memory-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-namedpipe-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-core-processenvironment-l1-1-0.dll
│       ├── [ 20K]  api-ms-win-core-processthreads-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-core-processthreads-l1-1-1.dll
│       ├── [ 18K]  api-ms-win-core-profile-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-rtlsupport-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-string-l1-1-0.dll
│       ├── [ 20K]  api-ms-win-core-synch-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-core-synch-l1-2-0.dll
│       ├── [ 19K]  api-ms-win-core-sysinfo-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-timezone-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-util-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-conio-l1-1-0.dll
│       ├── [ 22K]  api-ms-win-crt-convert-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-environment-l1-1-0.dll
│       ├── [ 20K]  api-ms-win-crt-filesystem-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-heap-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-locale-l1-1-0.dll
│       ├── [ 27K]  api-ms-win-crt-math-l1-1-0.dll
│       ├── [ 26K]  api-ms-win-crt-multibyte-l1-1-0.dll
│       ├── [ 69K]  api-ms-win-crt-private-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-process-l1-1-0.dll
│       ├── [ 23K]  api-ms-win-crt-runtime-l1-1-0.dll
│       ├── [ 24K]  api-ms-win-crt-stdio-l1-1-0.dll
│       ├── [ 24K]  api-ms-win-crt-string-l1-1-0.dll
│       ├── [ 21K]  api-ms-win-crt-time-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-utility-l1-1-0.dll
│       ├── [ 24K]  blink_image_resources_200_percent.pak
│       ├── [  15]  content_resources_200_percent.pak
│       ├── [ 11M]  content_shell.pak
│       ├── [4.0M]  d3dcompiler_47.dll
│       ├── [ 77M]  elec_rce.exe
│       ├── [1.9M]  ffmpeg.dll
│       ├── [9.7M]  icudtl.dat
│       ├── [ 17K]  libEGL.dll
│       ├── [3.3M]  libGLESv2.dll
│       ├── [1.0K]  LICENSE
│       ├── [1.6M]  LICENSES.chromium.html
│       ├── [4.0K]  locales
│       │   ├── [6.2K]  am.pak
│       │   ├── [5.8K]  ar.pak
│       │   ├── [6.7K]  bg.pak
│       │   ├── [8.8K]  bn.pak
│       │   ├── [4.2K]  ca.pak
│       │   ├── [4.0K]  cs.pak
│       │   ├── [3.6K]  da.pak
│       │   ├── [4.1K]  de.pak
│       │   ├── [7.3K]  el.pak
│       │   ├── [3.5K]  en-GB.pak
│       │   ├── [3.5K]  en-US.pak
│       │   ├── [4.3K]  es-419.pak
│       │   ├── [4.4K]  es.pak
│       │   ├── [3.8K]  et.pak
│       │   ├── [6.1K]  fake-bidi.pak
│       │   ├── [5.7K]  fa.pak
│       │   ├── [4.3K]  fil.pak
│       │   ├── [3.8K]  fi.pak
│       │   ├── [4.6K]  fr.pak
│       │   ├── [8.3K]  gu.pak
│       │   ├── [4.6K]  he.pak
│       │   ├── [7.9K]  hi.pak
│       │   ├── [4.0K]  hr.pak
│       │   ├── [4.4K]  hu.pak
│       │   ├── [3.6K]  id.pak
│       │   ├── [4.1K]  it.pak
│       │   ├── [4.9K]  ja.pak
│       │   ├── [9.4K]  kn.pak
│       │   ├── [4.0K]  ko.pak
│       │   ├── [4.2K]  lt.pak
│       │   ├── [4.3K]  lv.pak
│       │   ├── [ 10K]  ml.pak
│       │   ├── [8.1K]  mr.pak
│       │   ├── [3.8K]  ms.pak
│       │   ├── [3.6K]  nb.pak
│       │   ├── [3.8K]  nl.pak
│       │   ├── [4.0K]  pl.pak
│       │   ├── [4.0K]  pt-BR.pak
│       │   ├── [4.0K]  pt-PT.pak
│       │   ├── [4.3K]  ro.pak
│       │   ├── [6.3K]  ru.pak
│       │   ├── [4.1K]  sk.pak
│       │   ├── [4.0K]  sl.pak
│       │   ├── [6.3K]  sr.pak
│       │   ├── [3.5K]  sv.pak
│       │   ├── [4.0K]  sw.pak
│       │   ├── [ 10K]  ta.pak
│       │   ├── [9.8K]  te.pak
│       │   ├── [7.9K]  th.pak
│       │   ├── [3.9K]  tr.pak
│       │   ├── [6.5K]  uk.pak
│       │   ├── [4.7K]  vi.pak
│       │   ├── [3.5K]  zh-CN.pak
│       │   └── [3.5K]  zh-TW.pak
│       ├── [618K]  msvcp140.dll
│       ├── [257K]  natives_blob.bin
│       ├── [ 18M]  node.dll
│       ├── [138K]  pdf_viewer_resources.pak
│       ├── [4.0K]  resources
│       │   ├── [4.0K]  app
│       │   │   ├── [ 256]  index.html
│       │   │   ├── [ 661]  main.js
│       │   │   ├── [  81]  package.json
│       │   │   └── [  84]  package-lock.json
│       │   └── [232K]  electron.asar
│       ├── [1.4M]  snapshot_blob.bin
│       ├── [974K]  ucrtbase.dll
│       ├── [ 74K]  ui_resources_200_percent.pak
│       ├── [ 86K]  vcruntime140.dll
│       ├── [   6]  version
│       └── [ 56K]  views_resources_200_percent.pak
├── [4.0K]  elec_rce_fixed
│   └── [4.0K]  elec_rce_fixed-win32-x64
│       ├── [ 19K]  api-ms-win-core-console-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-datetime-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-debug-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-errorhandling-l1-1-0.dll
│       ├── [ 22K]  api-ms-win-core-file-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-file-l1-2-0.dll
│       ├── [ 18K]  api-ms-win-core-file-l2-1-0.dll
│       ├── [ 18K]  api-ms-win-core-handle-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-heap-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-interlocked-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-core-libraryloader-l1-1-0.dll
│       ├── [ 21K]  api-ms-win-core-localization-l1-2-0.dll
│       ├── [ 19K]  api-ms-win-core-memory-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-namedpipe-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-core-processenvironment-l1-1-0.dll
│       ├── [ 20K]  api-ms-win-core-processthreads-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-core-processthreads-l1-1-1.dll
│       ├── [ 18K]  api-ms-win-core-profile-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-rtlsupport-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-string-l1-1-0.dll
│       ├── [ 20K]  api-ms-win-core-synch-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-core-synch-l1-2-0.dll
│       ├── [ 19K]  api-ms-win-core-sysinfo-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-timezone-l1-1-0.dll
│       ├── [ 18K]  api-ms-win-core-util-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-conio-l1-1-0.dll
│       ├── [ 22K]  api-ms-win-crt-convert-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-environment-l1-1-0.dll
│       ├── [ 20K]  api-ms-win-crt-filesystem-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-heap-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-locale-l1-1-0.dll
│       ├── [ 27K]  api-ms-win-crt-math-l1-1-0.dll
│       ├── [ 26K]  api-ms-win-crt-multibyte-l1-1-0.dll
│       ├── [ 69K]  api-ms-win-crt-private-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-process-l1-1-0.dll
│       ├── [ 23K]  api-ms-win-crt-runtime-l1-1-0.dll
│       ├── [ 24K]  api-ms-win-crt-stdio-l1-1-0.dll
│       ├── [ 24K]  api-ms-win-crt-string-l1-1-0.dll
│       ├── [ 21K]  api-ms-win-crt-time-l1-1-0.dll
│       ├── [ 19K]  api-ms-win-crt-utility-l1-1-0.dll
│       ├── [ 25K]  blink_image_resources_200_percent.pak
│       ├── [  15]  content_resources_200_percent.pak
│       ├── [9.8M]  content_shell.pak
│       ├── [4.0M]  d3dcompiler_47.dll
│       ├── [ 82M]  elec_rce_fixed.exe
│       ├── [1.9M]  ffmpeg.dll
│       ├── [9.7M]  icudtl.dat
│       ├── [ 17K]  libEGL.dll
│       ├── [3.3M]  libGLESv2.dll
│       ├── [1.0K]  LICENSE
│       ├── [1.7M]  LICENSES.chromium.html
│       ├── [4.0K]  locales
│       │   ├── [6.5K]  am.pak
│       │   ├── [6.1K]  ar.pak
│       │   ├── [7.1K]  bg.pak
│       │   ├── [9.3K]  bn.pak
│       │   ├── [4.3K]  ca.pak
│       │   ├── [4.2K]  cs.pak
│       │   ├── [3.8K]  da.pak
│       │   ├── [4.3K]  de.pak
│       │   ├── [7.7K]  el.pak
│       │   ├── [3.6K]  en-GB.pak
│       │   ├── [3.6K]  en-US.pak
│       │   ├── [4.5K]  es-419.pak
│       │   ├── [4.6K]  es.pak
│       │   ├── [3.9K]  et.pak
│       │   ├── [6.3K]  fake-bidi.pak
│       │   ├── [6.0K]  fa.pak
│       │   ├── [4.5K]  fil.pak
│       │   ├── [4.0K]  fi.pak
│       │   ├── [4.8K]  fr.pak
│       │   ├── [8.7K]  gu.pak
│       │   ├── [4.8K]  he.pak
│       │   ├── [8.3K]  hi.pak
│       │   ├── [4.2K]  hr.pak
│       │   ├── [4.6K]  hu.pak
│       │   ├── [3.8K]  id.pak
│       │   ├── [4.3K]  it.pak
│       │   ├── [5.1K]  ja.pak
│       │   ├── [10.0K]  kn.pak
│       │   ├── [4.1K]  ko.pak
│       │   ├── [4.4K]  lt.pak
│       │   ├── [4.5K]  lv.pak
│       │   ├── [ 11K]  ml.pak
│       │   ├── [8.5K]  mr.pak
│       │   ├── [3.9K]  ms.pak
│       │   ├── [3.8K]  nb.pak
│       │   ├── [4.0K]  nl.pak
│       │   ├── [4.2K]  pl.pak
│       │   ├── [4.2K]  pt-BR.pak
│       │   ├── [4.2K]  pt-PT.pak
│       │   ├── [4.5K]  ro.pak
│       │   ├── [6.6K]  ru.pak
│       │   ├── [4.3K]  sk.pak
│       │   ├── [4.1K]  sl.pak
│       │   ├── [6.5K]  sr.pak
│       │   ├── [3.7K]  sv.pak
│       │   ├── [4.2K]  sw.pak
│       │   ├── [ 11K]  ta.pak
│       │   ├── [ 10K]  te.pak
│       │   ├── [8.2K]  th.pak
│       │   ├── [4.1K]  tr.pak
│       │   ├── [6.8K]  uk.pak
│       │   ├── [4.9K]  vi.pak
│       │   ├── [3.7K]  zh-CN.pak
│       │   └── [3.6K]  zh-TW.pak
│       ├── [618K]  msvcp140.dll
│       ├── [233K]  natives_blob.bin
│       ├── [ 18M]  node.dll
│       ├── [138K]  pdf_viewer_resources.pak
│       ├── [4.0K]  resources
│       │   ├── [4.0K]  app
│       │   │   ├── [ 256]  index.html
│       │   │   ├── [ 661]  main.js
│       │   │   ├── [  81]  package.json
│       │   │   └── [  84]  package-lock.json
│       │   └── [234K]  electron.asar
│       ├── [1.5M]  snapshot_blob.bin
│       ├── [974K]  ucrtbase.dll
│       ├── [ 74K]  ui_resources_200_percent.pak
│       ├── [ 86K]  vcruntime140.dll
│       ├── [  13]  version
│       └── [ 56K]  views_resources_200_percent.pak
├── [ 270]  poc.html
├── [ 623]  README.md
└── [4.0K]  test
    ├── [ 256]  index.html
    ├── [ 661]  main.js
    └── [  89]  package.json

11 directories, 245 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!