| .. | |||
| crack.html | Loading last commit info... | ||
| genttf.py | |||
| new.ttf | |||
| pwn.js | |||
| readme.md | |||
| run.sh | |||
| serv.py | |||
| template.ttf | |||
CVE-2020-15999: Google Chrome Heap Buffer Overflow
Information
Description: Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
This is just a brief intro on how you can utilise this PoC and reproduce the RCE :)
-
Ideally this PoC should run in a new browser tab as it relies on the fact that hopefully not much big heap allocations have been done beforehand. Then again since the majority of the pwning is happening in the isolated heap of the thread "Database Thread" used by WebSQL, maybe that won't be so much of an issue.
-
As this is a PoC, I have hardcoded several offsets specific to the Chrome binary which I am testing on. In an actual exploit, I would imagine the attacker would add some additional code logic to detect the chrome binary version and apply the offsets accordingly. I have also unfortunately hardcoded LIBC offsets specific to my Ubuntu's LIBC, so sorry about that.
-
The python server serv.py and its loaded module genttf.py form the web server used to host the exploit. The reason for this design rather than a normal web server is because my exploit script in pwn.js actually provides feedback to the python server with the info leaked, and the python server will then craft a ttf file specifically for the leaked info.
-
Feel free to replace the shellcode base64 encoded in the pwn.js file but bear in the mind as this is a renderer exploit you'll need an additional sandbox escape bug (such as one in Mojo bindings, which this exploit can enable) in order to gain system control; or you can just run chrome with --no-sandbox ;)