This Metasploit modules exploits a type confusion in Google Chrome's JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work.
5a38c9abffbaf08c049cb1b58519cd4edf1737251883302e32656d4b4f6eadc6