rip1s / vmware_escape

VMware Escape Exploit before VMware WorkStation 12.5.5
908 stars 351 forks source link

question for heapspray #4

Closed dodaeche closed 6 years ago

dodaeche commented 6 years ago

Hi. First, thanks for your post. I have learning exploitation from your code. In your code, There are heap spray code with size of 0xA0, 0x90, 0xA8. The target object(DnD or CP) size is 0xA8, so I think it's sufficient with just spraying chunk size of 0xA8. Maybe I'm lacking something. Is there any reason that you made chunk size of 0xA0 and 0x90 ? Thanks for your code and wiki.

rip1s commented 6 years ago

Hi @dodaeche

Well, that's why the exploit isn't reliable.

There are heap spray code with size of 0xA0, 0x90, 0xA8

Windows LFH is so annoying that If I only spray with size 0xa8, the "pwn" rate is far more lower than spraying these 3 sizes.( Actually I don't know why )

I try to make the exploit more stable and heap layout more predictable, and finally I found these sizes, as you see in code, the weird size...

However with these weird size sprayed, I can only get about 30% successful rate, too bad.

If you could find a way to control heap layout and achieve stable exploitation , pls contact me :), thanks

Sorry for my poor English ,haha.

dodaeche commented 6 years ago

Thanks @unamer. I've googled this vmware vulnerability and found an document. BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully

The used heap spray method seems more complicated, but it get pwn rate 95%, wow. Anyway, I'm still studying your code because it is more intuitive. :-) Thank you again.

rip1s commented 6 years ago

Thanks for the document bro.I'm noob at heap spray.