Skip to content
cyberexploits
remotewindowstext

Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution

Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution

Published on 2017-01-05

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/windows/remote/40990.txt7eac4c3a
raw
Source: https://github.com/theori-io/chakra-2016-11



Proofs of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40990.zip





chakra.dll Info Leak + Type Confusion for RCE



Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201)



Tested on Windows 10 Edge (modern.ie stable).



FillFromPrototypes_TypeConfusion.html: WinExec notepad.exe



FillFromPrototypes_TypeConfusion_NoSC.html: 0xcc (INT 3)



To run:



Download exploit/FillFromPrototypes_TypeConfusion.html to a directory.

Serve the directory using a webserver (or python's simple HTTP server).

Browse with a victim IE to FillFromPrototypes_TypeConfusion.html.
View on GitHub