Share
## https://sploitus.com/exploit?id=537DBA07-1D64-5052-AFA2-3C28F22784BA
## Chrome-CVE-2024-2887-RCE-Poc κ°μ
- μ·¨μ½μ λͺ
μΉ: Google Chrome Type Confusion
- Target : 125.0.6422.113
- Heap AR/AW + V8 Sandbox Escape + Chrome Sandbox Escape X (--no-sandbox)
μ΄κ²μ λ°΄μΏ λ² 2024μμ Manfred Paulμ΄ λ°νν CVE-2024-2887μ λ³μ’
λ²κ·Έλ‘ κ°μ£Όλ μ μμ΅λλ€.
by juntheworld
https://www.notion.so/CVE-2024-2887-A-Pwn2Own-Winning-Bug-in-Google-Chrome-2ffbd773e5118001bab1ee6425b40d5c
## μ°Έκ³
Pocμ Expλ μΈν°λ·μμ μμ§λμμΌλ©°, νμ΅ λ° κ΅λ₯ λͺ©μ μΌλ‘λ§ μ¬μ©νμμμ€. κ°μ λ¨Έμ λ΄μμ ν
μ€νΈνμκΈ° λ°λλλ€.
Pwned by Seunghyun Lee (Xion, @0x10n), for TyphoonPWN 2024
μΆμ²: [https://ssd-disclosure.com/ssd-advisory-google-chrome-rce/](https://ssd-disclosure.com/ssd-advisory-google-chrome-rce/)
## V8 λ° Chrome λ€μ΄λ‘λ λ°©λ²
### V8 λΉλ λ° μ€ν
1. **depot_tools μ€μΉ**
```bash
git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
export PATH=$PWD/depot_tools:$PATH
```
2. **V8 μμ€ μ½λ κ°μ Έμ€κΈ°**
```bash
fetch v8
cd v8
# CVE-2024-2887μ΄ μμ λκΈ° μ μ νΉμ 컀λ°μΌλ‘ μ΄λ (μ: 2024λ
3μ μ€μ)
git checkout 28877c5520
gclient sync
```
3. **λΉλ μ€μ λ° μ»΄νμΌ**
```
sudo apt-get update
sudo apt-get install -y pkg-config libglib2.0-dev
```
```bash
./tools/dev/gm.py x64.debug
```
4. **d8 (poc.js) poc**
```bash
cp /v8/test/mjsunit/wasm/wasm-module-builder.js ./
./out/x64.debug/d8 ./wasm-module-builder.js ../../poc.js
```
### Chrome λ€μ΄λ‘λ λ° μ€ν
Chromeμ μμ€μμ λΉλνκ±°λ, [Chromium Dash](https://chromiumdash.appspot.com/releases?platform=Linux)μμ νΉμ λ²μ μ μ€λ
μ·μ λ€μ΄λ‘λν μ μμ΅λλ€. => μ νν pocκ° νκ²νλ λ²μ μΌλ‘ μΈν°λ· λ€μ ΈμΌ λ¨
chrome 125.0.6422.113 execution:
```bash
.\chrome.exe --no-sandbox
```
# POC success
https://youtu.be/tjAe38JDkRI