module

Google Chrome 67, 68 and 69 Object.create exploit

Try Surface Command
Back to search
Disclosed
2018-09-25
Created
2020-03-06

Description

This modules exploits a type confusion in Google Chromes JIT compiler.
The Object.create operation can be used to cause a type confusion between a
PropertyArray and a NameDictionary.
The payload is executed within the rwx region of the sandboxed renderer
process.
This module can target the renderer process (target 0), but Google
Chrome must be launched with the --no-sandbox flag for the payload to
execute successfully.
Alternatively, this module can use CVE-2019-1458 to escape the renderer
sandbox (target 1). This will only work on vulnerable versions of
Windows (e.g Windows 7) and the exploit can only be triggered once.
Additionally the exploit can cause the target machine to restart
when the session is terminated. A BSOD is also likely to occur when
the system is shut down or rebooted.

Authors

saelo
timwr
sf stephen_fewer@harmonysecurity.com

Platform

Linux,OSX,Windows,Windows

Architectures

x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/multi/browser/chrome_object_create
    msf exploit(chrome_object_create) > show targets
        ...targets...
    msf exploit(chrome_object_create) > set TARGET < target-id >
    msf exploit(chrome_object_create) > show options
        ...show and set options...
    msf exploit(chrome_object_create) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today