• Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE
    Disclosure Date: 2021-04-13
    First seen: 2021-05-01
    exploit/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation
    This module exploits an issue in the V8 engine on x86_x64 builds of Google Chrome before 89.0.4389.128/90.0.4430.72 when handling XOR operations in JIT'd JavaScript code. Successful exploitation allows an attacker to execute arbitrary code within the context of the V8 process. As the V8 process is normally sandboxed in the default configuration of Google Chrome, the browser must be run with the --no-sandbox option for the payload to work correctly. Authors: - Bruno Keith (bkth_) - Niklas Baumstark (_niklasb) - Rajvardhan Agarwal (r4j0x00) - Grant Willcox (tekwizz123)
  • Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase
    Disclosure Date: 2020-11-19
    First seen: 2021-04-08
    exploit/multi/browser/chrome_simplifiedlowering_overflow
    This module exploits an issue in Google Chrome versions before 87.0.4280.88 (64 bit). The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a type hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1. This is abused to gain arbitrary read/write into the isolate region. Then an ArrayBuffer can be used to achieve absolute arbitrary read/write. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, the browser must be run with the --no-sandbox option for the payload to work correctly. Authors: - Rajvardhan Agarwal (r4j)
  • Google Chrome 80 JSCreate side-effect type confusion exploit
    Disclosure Date: 2020-02-19
    First seen: 2020-04-26
    exploit/multi/browser/chrome_jscreate_sideeffect
    This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.
  • Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86
    Disclosure Date: 2019-03-21
    First seen: 2020-04-26
    exploit/windows/browser/chrome_filereader_uaf
    This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling ArrayBuffer reference can be used to access the sprayed objects, allowing arbitrary memory access from Javascript. This is used to write and execute shellcode in a WebAssembly object. The shellcode is executed within the Chrome sandbox, so you must explicitly disable the sandbox for the payload to be successful.
  • Google Chrome 72 and 73 Array.map exploit
    Disclosure Date: 2019-03-07
    First seen: 2020-04-26
    exploit/multi/browser/chrome_array_map
    This module exploits an issue in Chrome 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.
  • Google Chrome 67, 68 and 69 Object.create exploit
    Disclosure Date: 2018-09-25
    First seen: 2020-04-26
    exploit/multi/browser/chrome_object_create
    This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process. This module can target the renderer process (target 0), but Google Chrome must be launched with the --no-sandbox flag for the payload to execute successfully. Alternatively, this module can use CVE-2019-1458 to escape the renderer sandbox (target 1). This will only work on vulnerable versions of Windows (e.g Windows 7) and the exploit can only be triggered once. Additionally the exploit can cause the target machine to restart when the session is terminated. A BSOD is also likely to occur when the system is shut down or rebooted. Authors: - saelo - timwr - sf <stephen_fewer@harmonysecurity.com>
6 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!