I found this bug a while ago . This bug requires initial access . Its great for post exploitation . Discord keeps a sqlite database called installer.db . The database has sha256 hashes of
every file that discord uses but it turns out that the integrity of some files are never checked allowing an attacker to modify some js files that discord uses . This attack needs certain amount of access .An attacker that has a shell or some sort of access will be able to modify the files . The attacker can modify the js files to download and execute a malware every time the user starts discord . Since discord runs on boot by default the user does not even have to start discord giving the attacker persistence . It can give an attacker persistence without using any common methods like modifying registry or messing with the startup folders . Access is required . This bug if exploited correctly will prove to be a very important tool for post exploitation
How to exploit the bug
- First find a file to modify . It should meet the following conditions . First it should be a core module and next it should not have integrity checks . The index.js file in desktop-core library is the best file . You can use this file C:\Users\username\AppData\Local\Discord\app-1.0.9002\modules\discord_desktop_core-3\discord_desktop_core\index.js
- Modify it to download a malware or give you a reverse shell or anything you want
Impact
Once you modify the file whenever discord runs it will download or execute a malware or do something that you want . Discord runs on boot so the malware will also run on boot giving the attacker persistent access making it perfect for post exploitation . The malware does not have to modify registry keys or mess with the startup folders . My exploit used a stock metasploit exe and it bypassed defender because it was running under the security permissions of discord . Here is a demo video
