Rapid7 Vulnerability & Exploit Database

Google Chrome 67, 68 and 69 Object.create exploit

Back to Search

Google Chrome 67, 68 and 69 Object.create exploit



This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process. This module can target the renderer process (target 0), but Google Chrome must be launched with the --no-sandbox flag for the payload to execute successfully. Alternatively, this module can use CVE-2019-1458 to escape the renderer sandbox (target 1). This will only work on vulnerable versions of Windows (e.g Windows 7) and the exploit can only be triggered once. Additionally the exploit can cause the target machine to restart when the session is terminated. A BSOD is also likely to occur when the system is shut down or rebooted.


  • saelo
  • timwr
  • sf <stephen_fewer@harmonysecurity.com>






Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/browser/chrome_object_create
msf exploit(chrome_object_create) > show targets
msf exploit(chrome_object_create) > set TARGET < target-id >
msf exploit(chrome_object_create) > show options
    ...show and set options...
msf exploit(chrome_object_create) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security