Google Chrome 80 JSCreate Side-Effect Type Confusion

Posted by deepcore on March 6, 2020 – 9:28 am

This Metasploit module exploits an issue in Google Chrome version 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the –no-sandbox option for the payload to work correctly.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« OpenSMTPD Out-Of-Bounds Read / Local Privilege Escalation http://maeyanghor.go.th/meh.php »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Google Chrome 80 JSCreate Side-Effect Type Confusion

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL