Skip to content
This is collaborative work of Ned Williamson and Niklas Baumstark
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
inject initial commit Feb 9, 2019
sandbox initial commit Feb 9, 2019
README.md initial commit Feb 9, 2019
pwn.html initial commit Feb 9, 2019
pwn.py
renderer-271eaf.patch
requirements.txt

README.md

Hack2Win 2018 -- Chrome sandbox

This is a sandbox escape exploit for Chrome 69.0.3497.92 / Windows 1803 (up to date on Sep 21st 2018)

Authors: Ned Williamson (bug & exploit), Niklas Baumstark (exploit & plugging everything together)

Bug report/writeup: https://bugs.chromium.org/p/chromium/issues/detail?id=888926

Building vulnerable Chrome & patching the renderer

It would be hard to reproduce the full-chain exploit because Chrome & Windows version have to match what we targetted back in September 2018. The files for the renderer patch via DLL injection are just here for reference (in inject/).

Instead you can build a vulnerable version of Chrome and apply custom renderer patches to reproduce the sandbox escape as a standalone exploit: In an existing Chromium source directory, do git checkout 271eaf && gclient sync, then rebuild. To apply the renderer patches required for the standalone sandbox escape, do patch -p1 < /path/to/renderer-271eaf.patch.

Running

pwn.py is the web server that serves the exploit. Run it on Linux (or WSL) and start Chrome in guest mode, then browse to http://localhost:8000/

You can’t perform that action at this time.