exploit the possibilities

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 4 of 4

Files from Istvan Kurucsai

Google Chrome 72 / 73 Array.map Corruption

Posted Mar 5, 2020

Authored by timwr, Istvan Kurucsai, dmxcsnsbh | Site metasploit.com

This Metasploit module exploits an issue in Chrome version 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.

tags | exploit, arbitrary

advisories | CVE-2019-5825

SHA-256 | 52e7894b7c0f12d602e2b66b2ab86b9e0c4591cd171e7e1ab5ee86c354cbe687

Download | Favorite | View

Google Chrome 80 JSCreate Side-Effect Type Confusion

Posted Mar 5, 2020

Authored by Clement LECIGNE, timwr, Istvan Kurucsai, Vignesh S Rao | Site metasploit.com

This Metasploit module exploits an issue in Google Chrome version 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.

tags | exploit, shellcode

advisories | CVE-2020-6418

SHA-256 | a5ee5e57a9ca7e2030588e33fb91d4f11725ab4661382274202790f8a15b4fc7

Download | Favorite | View

Chrome 72.0.3626.119 FileReader Use-After-Free

Posted May 8, 2019

Authored by Clement LECIGNE, timwr, Istvan Kurucsai | Site metasploit.com

This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling ArrayBuffer reference can be used to access the sprayed objects, allowing arbitrary memory access from Javascript. This is used to write and execute shellcode in a WebAssembly object. The shellcode is executed within the Chrome sandbox, so you must explicitly disable the sandbox for the payload to be successful.

tags | exploit, arbitrary, x86, javascript, shellcode

systems | windows

advisories | CVE-2019-5786

SHA-256 | 60039dc761905e4a2ed93286404ec19777dfd73ef434ef8a80431ab28e2ebbc1

Download | Favorite | View

Chrome 73.0.3683.86 Stable Proof Of Concept

Posted Apr 4, 2019

Authored by Istvan Kurucsai

Chrome version 73.0.3683.86 stable exploit for chromium issue 941743, tested on Windows 10 x64, which leverages a flaw in the V8 javascript engine.

tags | exploit, javascript

systems | windows

SHA-256 | ed2806699f2887002b690cf52cf4d2bf2e737c931f2b6c9116bddc399099bed4

Download | Favorite | View