[hbrundage]

https://therecord.media/security-researcher-drops-chrome-and... says this isn't a fully weaponizable exploit because you still need to escape the Chrome sandbox after using this. But, the researcher shows a screenshot of having started calc.exe which seems like something that'd happen outside the sandbox?

[rtpg]

The pr adding this says that you need to run chrome with —no-sandbox to get the exploit chain (since they don’t have a sandbox buster right now). Kinda feel like the PR to metasploit is more interesting as a link

[moozilla]

Couldn't find the PR you're referring to, unless it was this one https://github.com/rapid7/metasploit-framework/pull/15007 which was added by the same author as the OP, but looks like a different exploit as far as I can tell?

[rtpg]

I believe it's the same exploit, check out this reference here [0], and you should see the JS snippet

https://github.com/rapid7/metasploit-framework/pull/15007/fi...

[saagarjha]

The code is somewhat different, although you may have recognized that most JS engine exploits look the same once basic primitives are constructed.

[saurik]

I would imagine the researcher showed a screenshot of the exploit being run on a copy of Chrom{e,ium} where he had disabled parts of the sandbox (that, or he has a more complex exploit with another maybe-undisclosed sandbox escape).

[r4j0x00]

Hey I'm the exploit author, just run "chrome.exe --no-sandbox exploit.html" it will work.

[superjan]

What is your motivation of putting it on github? Have you considered selling it to google?

[albntomat0]

The bug was originally submitted to Google as part of Pwn2Own by two other people.

The GitHub POC was built using the patch and regression test by a third person (who you just replied to). While it's been patched in the v8 Javascript engine, that patch has not made it to Chrome (unless you're compiling Chromium from scratch) as part of Chrome's 2 week release process.