## https://sploitus.com/exploit?id=C9ED46A6-9146-5229-9315-A616E8508027
# SandBoxEscapeSim
**CVE-2025-2783: Educational Sandbox Escape Simulation for Chrome**
**Author:** Byte Reaper (@ByteReaper0)
## Overview
This project is a **research-oriented** and **educational simulation** designed to demonstrate the concept of a sandbox escape vulnerability within Google Chrome (version 134.0.6998.177). It leverages improper handle validation via the Mojo IPC system to illustrate how a malicious actor might attempt to break out of the browser’s sandbox and access restricted resources.
> **Note:** This is **not** a working exploit. All actions are simulated in a controlled environment for learning purposes only.
## Features
1. **Mojo IPC Pipe Simulation**
Demonstrates the creation of a Mojo message pipe using Chrome’s IPC API.
2. **Fake Handle Injection**
Shows how to append a user-supplied, spoofed handle into an IPC message.
3. **Sandbox Permission Check**
Attempts to read various system paths to simulate a sandbox breakout.
4. **Readable Console Output**
Provides step-by-step feedback on the simulation status.
## Prerequisites
* A **Windows** environment (32‑bit or 64‑bit).
* **GCC** or any compatible C compiler.
* **Mojo C** headers (Chromium IPC library).
* **Windows SDK** for WinAPI functions.
* **argparse.h** for command-line parsing.
## Compilation
gcc SandBoxEscapeSim.c argparse.c -o SandBoxEs -lmojo -lwindows
> Adjust library flags as needed for your system.
## Usage
./SandBoxEs -h <fake_handle>
**Example:**
./SandBoxEs -h 0xDEADBEEF
## Simulation Flow
1. **System Check**
Validates the OS is Windows (32‑bit or 64‑bit).
2. **Retrieve Current User**
Uses WinAPI to get the logged-in username.
3. **Mojo Message Creation**
* Creates a message pipe.
* Builds a message handle.
4. **Fake Handle Append**
* Injects the spoofed handle using `MojoAppendMessageData()`.
* Copies a sample payload (`"Hello Browser"`) into the buffer.
5. **Message Write**
Sends the crafted message into the simulated browser pipe.
6. **Sandbox Escape Check**
Attempts to open and read files in protected locations:
* `C:\Windows\System32\config\SAM`
* `C:\Windows\System32\config\SYSTEM`
* User Documents, Desktop, Downloads, and more.
7. **Result Report**
Outputs whether the simulated breakout succeeded.
## Options
* `-h`, `--handle`
Specify a fake 32‑bit handle in hexadecimal (e.g., `0xDEADBEEF`).
## Output Interpretation
* **\[+] Handle And Message Sent Successfully!**
The fake handle was accepted by the simulated pipe.
* **\[+] SandBox Escape Success!**
The simulation was able to open a restricted file path, indicating an escape.
* **\[-] Access Denied...**
Indicates the simulation could not read protected files.
## Limitations & Disclaimer
* **Non-exploitative:** All file reads and handle injections are purely simulated.
* **Educational Use Only:** Do **not** run against real browsers or production environments.
* **Controlled Environment:** Always test in an isolated VM or lab setup.
## Warnings & Safety
> Running this code outside of a sandboxed VM may lead to undefined behavior.
> Unauthorized testing on production machines or networks is strictly forbidden.
## Dependencies
* `mojo/public/c/system/functions.h`
* `mojo/public/c/system/types.h`
* `mojo/public/c/system/message_pipe.h`
* `windows.h`, `lmcons.h`
* `argparse.h`
## License
This project is released under the **MIT License**.
## Contact
* **Author:** Byte Reaper
* **Telegram:** @ByteReaper0
*Happy Learning!*