Google Chrome 72 / 73 Array.map Corruption
Posted by deepcore on March 6, 2020 – 9:28 am
This Metasploit module exploits an issue in Chrome version 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload. The payload is executed within the sandboxed renderer process, so the browser must be run with the –no-sandbox option for the payload to work correctly.
Post a reply
You must be logged in to post a comment.