Hack2Win 2018 -- Chrome sandbox
This is a sandbox escape exploit for Chrome 69.0.3497.92 / Windows 1803 (up to date on Sep 21st 2018)
Authors: Ned Williamson (bug & exploit), Niklas Baumstark (exploit & plugging everything together)
Bug report/writeup: https://bugs.chromium.org/p/chromium/issues/detail?id=888926
Building vulnerable Chrome & patching the renderer
It would be hard to reproduce the full-chain exploit because Chrome & Windows version have
to match what we targetted back in September 2018. The files for the renderer patch
via DLL injection are just here for reference
(in inject/).
Instead you can build a vulnerable version of Chrome and apply custom renderer patches
to reproduce the sandbox escape as a standalone exploit:
In an existing Chromium source directory, do git checkout 271eaf && gclient sync, then rebuild.
To apply the renderer patches required for the standalone sandbox escape, do
patch -p1 < /path/to/renderer-271eaf.patch.
Running
pwn.py is the web server that serves the exploit. Run it on Linux (or WSL) and start
Chrome in guest mode, then browse to http://localhost:8000/