Exploit for CVE-2025-2783

Name: Exploit for CVE-2025-2783
Rating: 5 (5 reviews)
2026-06-15 | CVSS 8.3
## https://sploitus.com/exploit?id=B8597AF3-5382-5D92-B7C2-B9350D29B3DD
# Chromium CVE-2025-2783: Sandbox Escape & Full-Chain RCE Exploit

This repository contains a full-chain exploit implementation for **CVE-2025-2783**. The vulnerability resides in Chromium's **Ipcz** communication layer, allowing an attacker to achieve sandbox escape and arbitrary code execution from a restricted renderer process. This exploit supports versions up to **134.0.6998.177**.

https://github.com/user-attachments/assets/a3e2bf34-739c-4db7-9101-0f4d48987ad0


## 1. Project Structure

*   **`src/`**: Core exploit implementation. It includes the Ipcz hijacking logic, V8 hooks, and the thread hijacking execution flow for CVE-2025-2783.
*   **`demo/`**: Full-chain demonstration environment. It triggers a V8 Type Confusion vulnerability via an HTML file and loads the binary payload compiled from `src/`, completing the entire chain from renderer process to Shellcode execution.

## 2. Vulnerability Background (CVE-2025-2783)

*   **Component**: `third_party/ipcz` (Chromium's Ipcz transport protocol implementation)
*   **Root Cause**: Ipcz lacks rigorous source and permission validation for cross-process handles when processing `RelayMessage`.
*   **Impact**: A compromised renderer process can induce the browser process (Broker) to relay high-privileged thread handles, effectively bypassing sandbox restrictions.

## 3. Exploit Chain

1.  **Signal Interception**: Intercepts signals from JavaScript in the `demo/` environment by hooking `V8Console::Debug`, securely extracting the second-stage Shellcode from an `ArrayBuffer`.
2.  **Vulnerability Trigger**: Hooks `OnAcceptRelayedMessage` and constructs a spoofed relay request (Message ID: `0x69`) to obtain a high-privileged handle via CVE-2025-2783.
3.  **Thread Hijacking**:
    - Suspends the target high-privileged thread.
    - Forcibly modifies the register state using `SetThreadContext`.
    - Sequentially calls `VirtualAlloc`, `ReadProcessMemory`, and `CreateThread` within the target context to execute the Shellcode.

## 4. Build & Demonstration

### Core Library Construction (`src/`)

Since the code deeply depends on Chromium's internal `ipcz` and `mojo` libraries, it is highly recommended to integrate the `src/` directory into the Chromium source tree and build it using **GN** and **Ninja** to ensure all internal dependencies are correctly linked.

### Full-Chain Demo (`demo/`)

1.  **Compatibility**: Currently tested only on **Chrome v128**; due to the nature of the exploit, it is only applicable to **Windows** systems.
2.  **Preparation**: Ensure the binary artifacts from `src/` are ready (pre-compiled `payload.bin` and `shellcode.bin` are already provided in the `demo/` directory).
3.  **Execution**: Run `python -m http.server` in the `demo/` directory, then navigate to `http://127.0.0.1:8000/exp.html` in the browser.
4.  **Result**: The demonstration script will automatically load the binary payload and execute the predefined Shellcode on the system.

## 5. References

*   [Chromium Issue 405143032](https://issues.chromium.org/issues/405143032)
*   [Chromium Issue 381696874](https://issues.chromium.org/issues/381696874)
*   [Minhook](https://github.com/tsudakageyu/minhook)

## 6. Disclaimer

This repository is for academic and security research purposes only. The author is not responsible for any losses or legal liabilities caused by the use of this code. Please conduct tests only in authorized environments.