Google Chrome 80 JSCreate Side-Effect Type Confusion
https://packetstormsecurity.com/files/156632/chrome_jscreate_sideeffect.rb.txt
https://packetstormsecurity.com/files/156632/chrome_jscreate_sideeffect.rb.txthttps://packetstormsecurity.com/files/156632/Google-Chrome-80-JSCreate-Side-Effect-Type-Confusion.htmlThu, 05 Mar 2020 14:45:47 GMTThis Metasploit module exploits an issue in Google Chrome version 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.