Closed dodaeche closed 6 years ago
Hi @dodaeche
Well, that's why the exploit isn't reliable.
There are heap spray code with size of 0xA0, 0x90, 0xA8
Windows LFH is so annoying that If I only spray with size 0xa8, the "pwn" rate is far more lower than spraying these 3 sizes.( Actually I don't know why )
I try to make the exploit more stable and heap layout more predictable, and finally I found these sizes, as you see in code, the weird size...
However with these weird size sprayed, I can only get about 30% successful rate, too bad.
If you could find a way to control heap layout and achieve stable exploitation , pls contact me :), thanks
Sorry for my poor English ,haha.
Thanks @unamer. I've googled this vmware vulnerability and found an document. BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
The used heap spray method seems more complicated, but it get pwn rate 95%, wow. Anyway, I'm still studying your code because it is more intuitive. :-) Thank you again.
Thanks for the document bro.I'm noob at heap spray.
Hi. First, thanks for your post. I have learning exploitation from your code. In your code, There are heap spray code with size of 0xA0, 0x90, 0xA8. The target object(DnD or CP) size is 0xA8, so I think it's sufficient with just spraying chunk size of 0xA8. Maybe I'm lacking something. Is there any reason that you made chunk size of 0xA0 and 0x90 ? Thanks for your code and wiki.