This modules exploits a type confusion in Google Chromes JIT compiler.
The Object.create operation can be used to cause a type confusion between a
PropertyArray and a NameDictionary.
The payload is executed within the rwx region of the sandboxed renderer
This module can target the renderer process (target 0), but Google
Chrome must be launched with the --no-sandbox flag for the payload to
Alternatively, this module can use CVE-2019-1458 to escape the renderer
sandbox (target 1). This will only work on vulnerable versions of
Windows (e.g Windows 7) and the exploit can only be triggered once.
Additionally the exploit can cause the target machine to restart
when the session is terminated. A BSOD is also likely to occur when
the system is shut down or rebooted.
- sf <firstname.lastname@example.org>