Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2019-5825, Chrome 73 1-day Array.map --no-sandbox exploit #12574

Merged
merged 8 commits into from Mar 5, 2020

Conversation

@timwr
Copy link
Contributor

timwr commented Nov 13, 2019

Pretty similar to #12384
Chrome 73.0.3683.86 stable exploit for chromium issue 941743, tested on Windows 10 x64.
Start chrome with the --no-sandbox argument

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Run the exploit:
use exploit/multi/browser/chrome_array_map
set SRVHOST 192.168.56.1
set URIPATH /
set LHOST 192.168.56.1
set DEBUG_EXPLOIT true
set PAYLOAD windows/x64/exec
set CMD calc.exe
run
  • C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe --no-sandbox http://192.168.56.1:8080
  • Verify calc pops up

TODO

  • Docs
  • Escape sandbox?
  • More platforms?
timwr and others added 3 commits Dec 13, 2019
Co-Authored-By: bcoles <bcoles@gmail.com>
@timwr timwr marked this pull request as ready for review Feb 14, 2020
@wvu-r7 wvu-r7 self-assigned this Feb 29, 2020
@timwr timwr removed the needs-docs label Feb 29, 2020
@wvu-r7 wvu-r7 merged commit 9840951 into rapid7:master Mar 5, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wvu-r7

This comment has been minimized.

Copy link
Member

wvu-r7 commented Mar 5, 2020

Release Notes

This adds an exploit for Google Chrome CVE-2019-5825, which allows an remote attacker to exploit heap corruption via a crafted HTML page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.