This module exploits an incorrect side-effect modeling of the 'in' operator.
The DFG compiler assumes that the 'in' operator is side-effect free, however
the element with the PDF plugin provides a callback that can trigger
side-effects leading to type confusion (CVE-2020-9850).
The type confusion can be used as addrof and fakeobj primitives that then
lead to arbitrary read/write of memory. These primitives allow us to write
shellcode into a JIT region (RWX memory) containing the next stage of the
exploit.
The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server,
and extracts a macOS application containing our payload into /var/db/CVMS.
The payload can then be opened with CVE-2020-9801, executing the payload
as a user but without sandbox restrictions.
msf > use exploit/osx/browser/safari_in_operator_side_effect
msf exploit(safari_in_operator_side_effect) > show targets
...targets...
msf exploit(safari_in_operator_side_effect) > set TARGET < target-id >
msf exploit(safari_in_operator_side_effect) > show options
...show and set options...
msf exploit(safari_in_operator_side_effect) > exploit