RCE using XSS in Electron applications

TL;DR

Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).

About Notable

Notable is a markdown-based note-taking app that is developed using Electron framework. Notable was originally released as open-source but newer versions of it are no longer open-source.

Electron and Node Integration

Electron is a framework that enables you to create desktop applications with JavaScript, HTML, and CSS. These applications can then be packaged to run directly on macOS, Windows, or Linux, or distributed via the Mac App Store or the Microsoft Store.

From a development perspective, an Electron application…


Credits: PortSwigger

Serialization vs Deserialization

Serialization is the process of converting objects to a sequential stream of bytes so that it can be easily stored in a database or transmitted over a network. Deserialization is the exact opposite of serialization. It is the process of converting this sequential stream of bytes to a fully functional object.

The object’s state is also persisted which means that the object’s attributes are preserved, along with their assigned values. The process of preventing a field from being serialized varies from language to language.

What is insecure deserialization?

Insecure deserialization is when user-controllable data is deserialized by an application. This allows an attacker to…


Exploiting it service manually

I was writing my windows privilege escalation guide when I came across a potential DLL hijacking vulnerability reported by PowerUp. After searching on the internet I found that its due to a vulnerability in the IKEEXT service. I placed the missing DLL wlbctrl.dll inC:\Temp and tried restarting the service IKEEXT service but it did to restart because I did not have enough privileges. I tried using this script and it worked. Now I was curious to know how this script worked. …


All roads lead to SYSTEM

Privilege Escalation may be daunting at first but it becomes easier once you know what to look for and what to ignore. Privilege escalation always comes down to proper enumeration. This guide will mostly focus on the common privilege escalation techniques and exploiting them.

The starting point for this tutorial is an unprivileged shell on a box. For demonstration purpose, I have used netcat to get a reverse shell from a Windows 7 x86 VM.

Enumeration

I cannot stress enough how important enumeration is. There are a lot of cheat sheets out there to extract valuable information from the systems. In…


SEH based buffer overflow for GMON command in vulnserver.

In this post, we will be exploiting the GMON command of Vulnerver using SEH based buffer overflow. If you are not acquainted with SEH based buffer overflows you can refer to the Exploit Research Megaprimer on Security Tube or Corelan’s tutorials on buffer overflows. If you want to read about vanilla buffer overflows you can read my post here. This post is a writeup for vulnserver and not for understanding how SEH is exploited.

We are running the Vulnserver on a Windows 7 x86 VM without any patches. Keep in mind that your exploit may not work if Windows has…


Bypassing application security checks & manipulating code at runtime.

Frida is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. What this means in simple language is that it can hook function calls made by an application and modify them at runtime. Using this we can easily bypass security checks like root detection and SSL Pinning. It is also possible to get encryption keys which maybe used for encrypting data in the application.

Installing Frida

Installing frida is quite easy and you will need the following:

  1. Rooted android phone
  2. Python 2 or 3 with Pip installed
  3. ADB tools (Minimal ADB Tools)


Overview

Stack-based buffer overflow exploits are likely the shiniest and most common form of exploit for remotely taking over the code execution of a process. These exploits were extremely common 20 years ago, but since then, a huge amount of effort has gone into mitigating stack-based overflow attacks by operating system developers, application developers, and hardware manufacturers, with changes even being made to the standard libraries developers use.

What is a buffer?

Arrays allocate storage space in what is called a buffer.

Syntax: type array[buffer_length];

Example:

char input[50]; // An array of up to 50 characters.
char c = input [49] // max
char c= input [250]…


“Every battle is won or lost before it’s ever fought.”

TL;DR useful resources at the end of the post.

The story begins in January, 2018 when I got a cyber security internship. At that time I was still in college and had no idea about cyber security (I did try to hack Wi-Fis and crack windows passwords when I was in school just to be cool 😅 but failed miserably). So after working for around 3–4 months I found out how interesting and vast this field was and decided to pursue this a full time career.

Sometime during my internship…

Sourov Ghosh

I like computers and offensive security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store