VMware CloudBurst - VMware Guest to Host Escape Exploit

Posted On // 5 comments
Last couple of days i had a chance to play and research VMware a bit, of course among other things. I spent last few days researching the vulnerability Kostya presented sometime ago. I did the entire research from zero and basically just for fun (yeah some of us still do this kind of stuff for the lulz). Unlike Kostya's method I am able to exploit this vulnerability only by sending two specially crafted SVGA_CMD_RECT_COPY signals. This method should work on default VMware configurations with SVGA support. Following exploit was tested only on Windows XP SP3 with VMware Workstation 6.5.1 build 126130 (no DEP support). To be honest i spent more time coding the hacktro so make sure you will watch it :-) Greetings for all of the hidden demosceners.

VMware Exploiting (payload running calc.exe on host)

VMware Cloud Burst Exploit Video (Windows XP) - Watch in HD


VMware Cloud Burst hacktro - Watch in HD

that's all! byez!

5 komentarze:

Gynvael Coldwind said...

Great stuff! Good work ;>
I like the hint of demoscene.
PoC exploits with demoscene intro's... now thats an interesting idea. I like it ;>

j00ru said...

Nice work! ;>

EdHunter said...

Just awesome Piotr!!!

Piotr Bania said...

thanks all :-)

sn said...

Willson! well done;>