just push

CVE-2020-6418+CVE-2020-UNDISCLOSED/README.md

@@ -2,6 +2,8 @@ https://issues.chromium.org/issues/40051782
 
 https://chromium.googlesource.com/chromium/src/+/0002875db334deb69d41f74adc15ad40089f04c5/content/browser/installedapp/installed_app_provider_impl.cc
 
+https://ruan777.github.io/2021/12/05/chrome_issue1062091_%E5%88%86%E6%9E%90/
+
 
 
 
@@ -20,112 +22,3 @@ https://chromium.googlesource.com/chromium/src/+/refs/tags/81.0.4041.0
 https://chromium.googlesource.com/chromium/src/+/3b8a123de15f8d72de245c2c3b865f6effe8636c/content/browser/installedapp/installed_app_provider_impl.cc
 
 this one should be vulnerable? hopefully?
-
-
-
-
-https://blog.theori.io/cleanly-escaping-the-chrome-sandbox-1c38abd3c9cb
-
-https://mp.weixin.qq.com/s/Gfo3GAoSyK50jFqOKCHKVA
-
-https://ruan777.github.io/2021/12/05/chrome_issue1062091_%E5%88%86%E6%9E%90/#&gid=1&pid=1
-
-https://blog.theori.io/cleanly-escaping-the-chrome-sandbox-1c38abd3c9cb
-
-https://issues.chromium.org/issues/40051782
-
-https://github.com/SycloverSecurity/SCTF2020/blob/master/Pwn/EasyMojo/README.md
-
-https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Win_x64/737173/
-
-https://www.anquanke.com/post/id/203834
-
-https://www.51cto.com/article/626989.html
-
-
-cool GPU stuff
-
-https://conference.hitb.org/hitbsecconf2022sin/materials/D2T1%20-%20Browser%20Hacking%20with%20ANGLE%20-%20Jeonghoon%20Shin.pdf
-
-
-
-
-https://bugs.chromium.org/p/chromium/issues/detail?id=977462
-
-
-
-Mojo CTFs
-
-https://robertchen.cc/blog/2021/07/07/sbx-intro
-
-https://robertchen.cc/blog/2021/02/07/adult-csp
-
-https://eternalsakura13.com/2020/09/20/mojo/#more
-
-https://pwnfirstsear.ch/2020/04/20/plaidctf2020-mojo
-
-https://blog.csdn.net/qq_61670993/article/details/135993133
-
-https://ret2.life/posts/Google-CTF-2021/
-
-https://eternal.red/2019/monochromatic-writeup/
-
-https://ptr-yudai.hatenablog.com/entry/2021/07/26/225308
-
-https://balsn.tw/ctf_writeup/20200627-0ctf_tctf2020quals/
-
-https://www.willsroot.io/2021/07/
-
-
-
-
-
-https://microsoftedge.github.io/edgevr/posts/yet-another-uaf/
-
-https://gist.github.com/ohnull/2cbfa501936a2fff4fd9efa67310cda8
-
-https://www.anquanke.com/post/id/233530
-
-
-https://project-zero.issues.chromium.org/issues/42451355
-
-https://issues.chromium.org/issues/40051958
-
-https://issues.chromium.org/issues/40053490
-
-https://issues.chromium.org/issues/40052742 <- full exploit
-
-https://issues.chromium.org/issues/40053360
-
-https://issues.chromium.org/issues/40053185
-
-https://issues.chromium.org/issues/40052216
-
-https://issues.chromium.org/issues/40052867
-
-https://issues.chromium.org/issues/40073505
-
-https://issues.chromium.org/issues/41494840
-
-https://issues.chromium.org/issues/41494845
-
-https://issues.chromium.org/issues/331369797
-
-https://issues.chromium.org/issues/328859176
-
-https://issues.chromium.org/issues/40945594
-
-https://issues.chromium.org/issues/41494860
-
-https://issues.chromium.org/issues/40063770
-
-https://issues.chromium.org/issues/41495060
-
-https://issues.chromium.org/issues/40073300
-
-https://issues.chromium.org/issues/338161969
-
-https://issues.chromium.org/issues/40095468
-
-https://project-zero.issues.chromium.org/issues/42450803
-

Chrome-Internals/Chrome-Build.md

@@ -181,7 +181,47 @@
 
 1. For recent versions of Chrome, just follow Chromium documentation + Google/ChatGPT
 
-2. For older versions of Chrome, did not manage to do it. Sadge. (TODO)
+2. To build older Chromium versions (e.g. below Chromium 110 but above Chromium 80), these are the generic steps you can take (some screenshots references can be found as I attempted to build Chromium 93.0.4577.0 on Windows)
+
+    - Windows 10 seems to be the most stable
+
+    - Have prepare MSVC 2017, MSVC 2019, MSVC 2022
+
+    - Reference the "Building Chromium on Windows" documentation for that particular revision of Chromium you are building
+
+    - Follow "Building Older Revisions" documentation and revert your depot_tools to the appropriate settings (you may have to change certain depot scripts in order to prevent running into some errors)
+
+    - `gn gen` can be done in command prompt but `autoninja` MUST be done in x64 native tools command prompt for VS
+
+    - Pray. Good luck and have fun.
+
+
+It sounds like your Chromium build setup on Windows is having trouble finding files on the C:\ drive when you're building on F:. This issue might stem from how paths are being resolved between drives, or from permissions related to the F:\ drive, depending on how your depot_tools environment and build scripts are set up.
+
+Here are a few steps you can try to resolve the issue:
+
+Ensure Path Variables Are Correct: Double-check that your system's environment variables, such as PATH, correctly point to the Windows Kit (the SDK folder). You can verify this by:
+
+Opening the System Properties -> Environment Variables.
+Looking for entries in PATH that point to C:\Program Files\Windows Kits\....
+Add missing paths if necessary.
+Run Scripts from C:\ Drive: Even though you are building on F:, some scripts or tools (like depot_tools and autoninja) might still expect to access certain resources from the C:\ drive. Ensure that you're running the depot_tools scripts and autoninja from the correct drive.
+
+Permissions Issue: Sometimes, the F:\ drive could have different permissions, especially if it's an external drive or has been remounted. Try running the build with elevated permissions:
+
+Open the Command Prompt with Administrator rights and run autoninja.
+Mount the HDD: If you are using an external HDD as F:, you could try mounting it as a folder inside your C:\ drive (using Windows Disk Management). This might prevent issues where scripts can't "see" another drive.
+
+Symlink Between Drives: You could try creating symbolic links between your F:\ and C:\ drives for critical folders. For example, you can link part of your build directory on F:\ to a folder on C:\ like this:
+
+bash
+Copy code
+mklink /D C:\build F:\build
+This may help the build process access the necessary files.
+
+Check depot_tools and Build Configuration: Make sure your depot_tools and build configuration files are not hard-coded to specific drives. Look for absolute paths in .gn or .gclient files and adjust them to ensure they reflect your environment.
+
+If none of these solutions work, reviewing the exact error messages could give more clues about what might be wrong.
 
 # Where to find Chrome
 

Chrome-Internals/Chrome-Compilation.md

@@ -94,19 +94,51 @@ Did not cover cause no time (and similar-ish to other V8 bugs that I have attemp
 
 ### Renderer to Browser SBX 
 
-[Renderer RCE -> Enable Mojo -> Browser Heap Spray + Browser UaF -> Fake Structures -> Fake VTables -> Browser RCE](https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html)
+1. [FileReader UaF Exploit](https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html)
 
-[Renderer RCE -> Enable Mojo -> Browser UaF -> Heap Leak -> Browser Heap Spray + Browser UaF -> Leak CommandLinePointer -> Browser Heap Spray + Browser UaF -> SetCommandLineFlagsForSandboxType() -> Spawn a new Renderer with No Sandbox -> Renderer RCE with no sandbox](https://blog.theori.io/cleanly-escaping-the-chrome-sandbox-1c38abd3c9cb)
+    - Renderer RCE -> Enable Mojo
 
-[Rendere RCE -> Patch Renderer Code + Enable Mojo -> Browser Heap Spray + Browser UaF -> Fake Structures -> Fake VTables -> Browser RCE](https://github.com/github/securitylab/blob/main/SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/README.md)
+    - Browser Heap Spray -> Fake Structures + Payload
 
-[Rendere RCE -> Patch Renderer Code + Patch in Control Flow -> Browser Heap Spray + Browser UaF -> Heap Leak -> Browser Heap Spray + Browser UaF -> Fake Structures -> Fake VTables -> Browser RCE](https://github.com/niklasb/hack2win-chrome)
+    - Trigger Free -> Object Replacement -> Trigger UaF -> Jump to Fake Structures
 
-[Renderer RCE -> Patch Renderer Code + Patch in Control Flow + Enable Mojo -> Browser Heap Spray + Browser UaF -> Heap Leak -> Browser Heap Spray + Browser UaF -> Fake Structures -> Fake VTables -> Browser RCE](https://github.com/github/securitylab/blob/main/SecurityExploits/Chrome/SandboxEscape/CVE-2021-30528/aarch64/arm64_renderer.patch)
+    - Browser RCE
 
-[?](https://issues.chromium.org/issues/40052083), [?](https://github.com/emredavut/Chrome-Android-and-Windows-0day-RCE-SBX/blob/main/sbx.js)
+    - Partial Patch to disable [Browser Heap Spray](https://source.chromium.org/chromium/chromium/src/+/a4a2d4b21eaca030d304f5fd9f19ede848108c47)
 
-[?](https://starlabs.sg/blog/2022/01-the-cat-escaped-from-the-chrome-sandbox/)
+2. [InstalledAppProviderImpl UaF Exploit](https://blog.theori.io/cleanly-escaping-the-chrome-sandbox-1c38abd3c9cb)
+
+    - Renderer RCE -> Enable Mojo
+
+    - Trigger Free -> Object Replacement -> Trigger UaF -> Leak Heap Pointer
+
+    - Browser Heap Spray -> Trigger Free -> Object Replacement -> Trigger UaF -> Arbitrary Call -> copy64 -> Leak CommandLinePointer
+
+    - Browser Heap Spray -> Trigger Free -> Object Replacement -> Trigger UaF -> Arbitrary Call -> SetCommandLineFlagsForSandboxType
+
+    - Spawn new renderer with `--no-sandbox`
+
+    - Renderer RCE with Browser privileges
+
+3. [AppCache UaF Exploit](https://github.com/niklasb/hack2win-chrome)
+
+    - Renderer RCE -> Patch Renderer Chrome Code + Control Flow
+
+    - TBC
+
+4. No time to look at
+
+    - [?](https://microsoftedge.github.io/edgevr/posts/yet-another-uaf/#exploiting-the-issue)
+
+    - [?](https://labs.bluefrostsecurity.de/blog/2019/08/08/escaping-the-chrome-sandbox-via-an-indexeddb-race-condition/)
+
+    - [?](https://github.com/github/securitylab/blob/main/SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/README.md)
+
+    - [?](https://github.com/github/securitylab/blob/main/SecurityExploits/Chrome/SandboxEscape/CVE-2021-30528/aarch64/arm64_renderer.patch)
+
+    - [?](https://issues.chromium.org/issues/40052083), [?](https://github.com/emredavut/Chrome-Android-and-Windows-0day-RCE-SBX/blob/main/sbx.js)
+
+    - [?](https://starlabs.sg/blog/2022/01-the-cat-escaped-from-the-chrome-sandbox/)
 
 ### Renderer to GPU SBX 
 

Chrome-Internals/Unorganised.md

@@ -27,4 +27,111 @@ https://source.chromium.org/chromium/chromium/src/+/main:docs/security/mojo.md
 https://xzwang2005.github.io/Prelude/crack_the_code/Chap_3/mojo_101.html
 
 
-[Tiggering GCs in V8, Exploit stablization techniques (Chrome 90.0.4430.72)](https://tiszka.com/blog/CVE_2021_21225_exploit.html)
+[Tiggering GCs in V8, Exploit stablization techniques (Chrome 90.0.4430.72)](https://tiszka.com/blog/CVE_2021_21225_exploit.html)
+
+### ?
+
+https://blog.theori.io/cleanly-escaping-the-chrome-sandbox-1c38abd3c9cb
+
+https://mp.weixin.qq.com/s/Gfo3GAoSyK50jFqOKCHKVA
+
+https://ruan777.github.io/2021/12/05/chrome_issue1062091_%E5%88%86%E6%9E%90/#&gid=1&pid=1
+
+https://blog.theori.io/cleanly-escaping-the-chrome-sandbox-1c38abd3c9cb
+
+https://issues.chromium.org/issues/40051782
+
+https://github.com/SycloverSecurity/SCTF2020/blob/master/Pwn/EasyMojo/README.md
+
+https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Win_x64/737173/
+
+https://www.anquanke.com/post/id/203834
+
+https://www.51cto.com/article/626989.html
+
+
+cool GPU stuff
+
+https://conference.hitb.org/hitbsecconf2022sin/materials/D2T1%20-%20Browser%20Hacking%20with%20ANGLE%20-%20Jeonghoon%20Shin.pdf
+
+
+
+
+https://bugs.chromium.org/p/chromium/issues/detail?id=977462
+
+
+
+Mojo CTFs
+
+https://robertchen.cc/blog/2021/07/07/sbx-intro
+
+https://robertchen.cc/blog/2021/02/07/adult-csp
+
+https://eternalsakura13.com/2020/09/20/mojo/#more
+
+https://pwnfirstsear.ch/2020/04/20/plaidctf2020-mojo
+
+https://blog.csdn.net/qq_61670993/article/details/135993133
+
+https://ret2.life/posts/Google-CTF-2021/
+
+https://eternal.red/2019/monochromatic-writeup/
+
+https://ptr-yudai.hatenablog.com/entry/2021/07/26/225308
+
+https://balsn.tw/ctf_writeup/20200627-0ctf_tctf2020quals/
+
+https://www.willsroot.io/2021/07/
+
+
+
+
+
+https://microsoftedge.github.io/edgevr/posts/yet-another-uaf/
+
+https://gist.github.com/ohnull/2cbfa501936a2fff4fd9efa67310cda8
+
+https://www.anquanke.com/post/id/233530
+
+
+https://project-zero.issues.chromium.org/issues/42451355
+
+https://issues.chromium.org/issues/40051958
+
+https://issues.chromium.org/issues/40053490
+
+https://issues.chromium.org/issues/40052742 <- full exploit
+
+https://issues.chromium.org/issues/40053360
+
+https://issues.chromium.org/issues/40053185
+
+https://issues.chromium.org/issues/40052216
+
+https://issues.chromium.org/issues/40052867
+
+https://issues.chromium.org/issues/40073505
+
+https://issues.chromium.org/issues/41494840
+
+https://issues.chromium.org/issues/41494845
+
+https://issues.chromium.org/issues/331369797
+
+https://issues.chromium.org/issues/328859176
+
+https://issues.chromium.org/issues/40945594
+
+https://issues.chromium.org/issues/41494860
+
+https://issues.chromium.org/issues/40063770
+
+https://issues.chromium.org/issues/41495060
+
+https://issues.chromium.org/issues/40073300
+
+https://issues.chromium.org/issues/338161969
+
+https://issues.chromium.org/issues/40095468
+
+https://project-zero.issues.chromium.org/issues/42450803