Skip to content

Petitoto/chromium-exploit-dev

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

106 Commits
docs
docs
 
 
rwx
rwx
 
 
sbx
sbx
 
 
static
static
 
 
tools
tools
 
 
utils
utils
 
 
v8
v8
 
 
vulns
vulns
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.html
index.html
 
 
main.js
main.js
 
 

Repository files navigation

Chromium Exploit Development Toolkit

A toolkit to turn Chromium vulnerabilities into full-chain exploits.

Currently supporting Google Chrome on Windows x64.

Overview

This project provides a set of powerful helper scripts but requires you to bring your own vulnerabilities. You are responsible for implementing minimal exploitation primitives, and the toolkit handles everything else.

A custom exploit chain relies on the main.js script file, which lets you selectively include your vulnerabilities alongside the toolkit’s helper scripts:

// Log level
const loglevel = 5;


// Exploit chain
async function main() {
    await include("utils/utils.js");                        // Global utils which can be used at any time
    await include("utils/symbols.js");                      // Offsets by Chrome builds for your exploit chain
    await include("utils/wasm-module-builder.js");          // Original wasm-module-builder to build WASM modules easily in JS

    // Include your initial V8 memory corruption here
    // This should craft addrOf() & fakeObj() primitives
    await include("vulns/memcor/your-code.js");

    await include("v8/cage.js");                            // Stabilize the primitives & gain memory read/write inside the V8 SBX
    await include("v8/helpers.js");                         // Generic helpers for V8 SBX escape

    // Include your V8 SBX escape here
    // This should craft arbRead() & arbWrite() primitives
    // AND leak some addresses to achieve RCE (see rwx/helpers/*.js)
    await include("vulns/v8sbx/your-code.js");

    await include("rwx/memory.js");                         // Craft utils to manipulate the renderer memory safely

    // Generic helpers to turn your V8 SBX escape into RCE
    // Include only relevant helpers for your V8 SBX escape
    await include("rwx/helpers/trusted-rwx.js");            // Turn a leak of a pointer in the trusted cage into RCE (by egg-hunting WASM instances)
    await include("rwx/helpers/rwx-chrome.js");             // Use a RWX callable memory page to find the Chrome DLL base address
    await include("rwx/helpers/partitionalloc-chrome.js");  // Retrieve Chrome DLL and sandbox base addresses using PartitionAlloc metadata
    await include("rwx/helpers/chrome-cages.js");           // Turn the Chrome DLL base address into cage bases and pointer tables
    await include("rwx/helpers/cages-getrwx.js");           // Turn the trusted cage base & pointer table into reliable RCE (by resolving caged pointers)

    await include("rwx/shellcodes.js");                     // Provide exploitation helpers using generic shellcodes

    await include("sbx/fingerprint.js");                    // Fingerprint browser and system versions
    await include("sbx/mojo.js");                           // Enable MojoJS and other protected flags

    // Include your SBX escape here
    await include("vulns/sbx/your-code.js");
}

/*
    Other customizable features are defined here
    (logging, clean exit, exploit reload...)
    ...
*/

See the features list for a comprehensive overview of available features.

A testing webpage is provided in index.html. It prints logs, handles crashes and allows the main script to include files from the project's subfolders. You can run it locally using python3 -m http.server, then browse to http://localhost:8000.

For early exploit development, you can also run the main exploit script in d8: d8.exe main.js.

Once an exploit chain is ready, tools are provided to automate various tasks like PDB parsing and building the exploit into a single script.

Demo

A demonstration exploit chain is provided in the default main.js to showcase the toolkit's features. It relies on the following (publicly disclosed) vulnerabilities:

  • CVE-2025-0291 (type confusion in Turboshaft's WasmGCTypeAnalyzer on single-block loops — source code here)
  • Issue 379140430 (signature type confusion in WasmToJsWrapper tier-up with in-sandbox Tuple2 corruption — source code here)
  • CVE-2024-11114 (mouse can be controlled using the startDragging() Mojo IPC interface to run downloaded files and escape the sandbox — source code here)
  • DLL hijacking in putty.exe (use putty.exe v0.68 & hijack winspool.drv to bypass Windows SmartScreen — resources here)

This exploit chain works out-of-the-box on any Chrome 130 stable and extended releases up to 130.0.6723.160. It can be easily extended to 128, 129 and some 131 beta builds by adding symbols.

demo.mp4

Disclaimer

This toolkit is intended strictly for security research. On its own, it does not provide any material to exploit undisclosed vulnerabilities in the Chromium project. Use of this toolkit for malicious purposes is solely your responsibility.

Public releases are licensed under the GNU AGPLv3 terms. Specifically, the trading of private exploits based on this toolkit is not permitted under these terms. Previous commits made before the first public release may be unlicensed and are protected by default copyright laws.

This project includes third-party licensed components: see here for details.

About

Toolkit to turn Chromium vulnerabilities into full-chain exploits

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

214 stars

Watchers

5 watching

Forks

35 forks
Report repository

Releases 1

Chromium Exploit Development Toolkit v1.0 Latest
Jun 18, 2025

Packages

No packages published

Languages