Share
## https://sploitus.com/exploit?id=537DBA07-1D64-5052-AFA2-3C28F22784BA
## Chrome-CVE-2024-2887-RCE-Poc κ°œμš”

- 취약점 λͺ…μΉ­: Google Chrome Type Confusion
- Target : 125.0.6422.113
- Heap AR/AW + V8 Sandbox Escape + Chrome Sandbox Escape X (--no-sandbox)

이것은 밴쿠버 2024μ—μ„œ Manfred Paul이 λ°œν‘œν•œ CVE-2024-2887의 λ³€μ’… λ²„κ·Έλ‘œ 간주될 수 μžˆμŠ΅λ‹ˆλ‹€.

by juntheworld
https://www.notion.so/CVE-2024-2887-A-Pwn2Own-Winning-Bug-in-Google-Chrome-2ffbd773e5118001bab1ee6425b40d5c

## μ°Έκ³ 

Poc와 ExpλŠ” μΈν„°λ„·μ—μ„œ μˆ˜μ§‘λ˜μ—ˆμœΌλ©°, ν•™μŠ΅ 및 ꡐλ₯˜ λͺ©μ μœΌλ‘œλ§Œ μ‚¬μš©ν•˜μ‹­μ‹œμ˜€. 가상 λ¨Έμ‹  λ‚΄μ—μ„œ ν…ŒμŠ€νŠΈν•˜μ‹œκΈ° λ°”λžλ‹ˆλ‹€.

Pwned by Seunghyun Lee (Xion, @0x10n), for TyphoonPWN 2024

좜처: [https://ssd-disclosure.com/ssd-advisory-google-chrome-rce/](https://ssd-disclosure.com/ssd-advisory-google-chrome-rce/)

## V8 및 Chrome λ‹€μš΄λ‘œλ“œ 방법

### V8 λΉŒλ“œ 및 μ‹€ν–‰

1. **depot_tools μ„€μΉ˜**
   ```bash
   git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
   export PATH=$PWD/depot_tools:$PATH
   ```

2. **V8 μ†ŒμŠ€ μ½”λ“œ κ°€μ Έμ˜€κΈ°**
   ```bash
   fetch v8
   cd v8

   # CVE-2024-2887이 μˆ˜μ •λ˜κΈ° μ „μ˜ νŠΉμ • μ»€λ°‹μœΌλ‘œ 이동 (예: 2024λ…„ 3μ›” μ€‘μˆœ)
    git checkout 28877c5520
    gclient sync
   ```

3. **λΉŒλ“œ μ„€μ • 및 컴파일**
   ```
    sudo apt-get update
    sudo apt-get install -y pkg-config libglib2.0-dev
   ```
   ```bash
    ./tools/dev/gm.py x64.debug
   ```

4. **d8 (poc.js) poc**
```bash
cp /v8/test/mjsunit/wasm/wasm-module-builder.js ./
./out/x64.debug/d8 ./wasm-module-builder.js ../../poc.js
```

### Chrome λ‹€μš΄λ‘œλ“œ 및 μ‹€ν–‰

Chrome은 μ†ŒμŠ€μ—μ„œ λΉŒλ“œν•˜κ±°λ‚˜, [Chromium Dash](https://chromiumdash.appspot.com/releases?platform=Linux)μ—μ„œ νŠΉμ • λ²„μ „μ˜ μŠ€λƒ…μƒ·μ„ λ‹€μš΄λ‘œλ“œν•  수 μžˆμŠ΅λ‹ˆλ‹€. => μ •ν™•νžˆ pocκ°€ νƒ€κ²Ÿν•˜λŠ” λ²„μ „μœΌλ‘œ 인터넷 λ’€μ Έμ•Ό 됨

chrome 125.0.6422.113 execution:
```bash
.\chrome.exe --no-sandbox
```

# POC success
https://youtu.be/tjAe38JDkRI