rip1s / vmware_escape

VMware Escape Exploit before VMware WorkStation 12.5.5
908 stars 351 forks source link

Shaping LFH #1

Open saaramar opened 7 years ago

saaramar commented 7 years ago

First of all - great repo! Thanks for sharing. About the stability issue - you exploited the vulnerability in the DND/CopyPaste mechanism, right? you have corruption in the memcpy in DnDCPMsgV4_UnserializeMultiple(), due to the flawed check in DnDCPMsgV4IsPacketValid(). The issue is that the LFH allocations in the userblocks are randomized, since win8 drop the FreeEntryOffset. But - you have alloc and free primitives. Why not using the randomization vulnerability, and do something like that - https://github.com/saaramar/Deterministic_LFH ? (It would work until build 16179, but still, that would be pretty cool, isn't it? :) ) Thanks!

rip1s commented 7 years ago

Thanks , I will try but this will be more complicated inside vmware.

vportal commented 2 years ago

Hello,

I am trying to replicate the exploit but i get a BSOD when start debugging vmware-vmx. Analyzing the different dumps the crash occurs in nt!NtWaitForDebugEvent+2bf but not sure why. Did you experience this issue while developing the exploit?

Thanks, best regards. Víctor