module
Google Chrome 72 and 73 Array.map exploit
| Disclosed | Created |
|---|---|
| 2019-03-07 | 2020-03-06 |
Disclosed
2019-03-07
Created
2020-03-06
Description
This module exploits an issue in Chrome 73.0.3683.86 (64 bit).
The exploit corrupts the length of a float in order to modify the backing store
of a typed array. The typed array can then be used to read and write arbitrary
memory. The exploit then uses WebAssembly in order to allocate a region of RWX
memory, which is then replaced with the payload.
The payload is executed within the sandboxed renderer process, so the browser
must be run with the --no-sandbox option for the payload to work correctly.
The exploit corrupts the length of a float in order to modify the backing store
of a typed array. The typed array can then be used to read and write arbitrary
memory. The exploit then uses WebAssembly in order to allocate a region of RWX
memory, which is then replaced with the payload.
The payload is executed within the sandboxed renderer process, so the browser
must be run with the --no-sandbox option for the payload to work correctly.
Authors
dmxcsnsbh
István Kurucsai
timwr
István Kurucsai
timwr
Platform
OSX,Windows
Architectures
x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.