module
Google Chrome 80 JSCreate side-effect type confusion exploit
| Disclosed | Created |
|---|---|
| 2020-02-19 | 2020-03-04 |
Disclosed
2020-02-19
Created
2020-03-04
Description
This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit
corrupts the length of a float array (float_rel), which can then be used for out
of bounds read and write on adjacent memory.
The relative read and write is then used to modify a UInt64Array (uint64_aarw)
which is used for read and writing from absolute memory.
The exploit then uses WebAssembly in order to allocate a region of RWX memory,
which is then replaced with the payload shellcode.
The payload is executed within the sandboxed renderer process, so the browser
must be run with the --no-sandbox option for the payload to work correctly.
corrupts the length of a float array (float_rel), which can then be used for out
of bounds read and write on adjacent memory.
The relative read and write is then used to modify a UInt64Array (uint64_aarw)
which is used for read and writing from absolute memory.
The exploit then uses WebAssembly in order to allocate a region of RWX memory,
which is then replaced with the payload shellcode.
The payload is executed within the sandboxed renderer process, so the browser
must be run with the --no-sandbox option for the payload to work correctly.
Authors
Clément Lecigne
István Kurucsai
Vignesh S Rao
timwr
István Kurucsai
Vignesh S Rao
timwr
Architectures
x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.