Vmware virtual machine escape Vulnerability CVE-2017-4901）Exploit code analysis and use-vulnerability and early warning-the black bar safety net

0×01 event analysis
2017 7 on 19 unamer in its github released a for Vmware virtual machine escape exploit source code, using C++. The alleged impact of Vmware Workstation 12.5.5 the previous version, and gives a demonstration of the process, to achieve a from the virtual machine to the host machine The code is executed, the pop-up the familiar calculator. The code is open source, just need the implementation of the calculator portion of the shellcode replaced with other malicious codes that can cause great harm.
Through the code combed, found that the exploit for the vulnerability is the month of March is the exposure of CVE-2017-4901 the. About the vulnerability, the long Pavilion security research lab Chaitin Security Research Lab released its 2017 3 months participating in the Pwn2Own hacking contest on this Vmware vulnerabilities digging with the use of a lot of details.
And the vulnerability principle and 2016 years 11 months in 360PwnFest show CVE-2016-7461 this vulnerability the principle is the same, are out in the drag-and-drop function and copy-and-paste function, but the vulnerability is appeared in version4, and the current CVE-2017-4901 appear in Version 3 This version. Vmware to on its announcement: https://www.vmware.com/security/advisories/VMSA-2016-0019.html the.
0×02 exploit code analysis
According to the exploit code, according to the steps of analysis of the vulnerability of the entire use process.
（1）set version 3.0 version
Because the vulnerability exists in DnD and CnP mechanism of Version 3, It is set to DnD and CnP are version3 version. Use the command“tool. capability. dnd_version 3“and tools. capability. copypaste_version 3“ in.
! [](/Article/UploadPic/2017-7/2017724171548832. png? www. myhack58. com)

（2）to overflow the heap
In order to achieve code execution, the need to overflow the stack object in a function pointer or virtual table pointer.
! [](/Article/UploadPic/2017-7/2017724171548533. png? www. myhack58. com)
! [](/Article/UploadPic/2017-7/2017724171548447. png? www. myhack58. com)
（3）to create Version 3 of the DnD and CnP object
Need to query the DnD and CnP version in order to make the settings take effect, you need to send the command to, respectively: vmx. capability. dnd_version and vmx. capability. copypaste_version, these two commands will check the DnD/CnP mechanism of the version,while the version will create two objects, DnD and CnP, wherein version3 corresponding C++object size is 0xA8 in.
! [](/Article/UploadPic/2017-7/2017724171548410. png? www. myhack58. com)

（4）cover the c++object virtual table address
According to the C++object The size of the multiple out of bounds write memory.
! [](/Article/UploadPic/2017-7/2017724171548411. png? www. myhack58. com)
! [](/Article/UploadPic/2017-7/2017724171548871. png? www. myhack58. com)

（5）through information disclosure to bypass ASLR
By command info-set guestinfo. KEY VALUE and info-get guestinfo. KEY to set and get data through these two command followed by the value to reveal objects on the heap, so get the object’s virtual table addresses, thereby to obtain the vmware-vmx address.

! [](/Article/UploadPic/2017-7/2017724171548887. png? www. myhack58. com)
（6）to achieve code execution
According to information leaked to judge the overflow of which is a C++object, DnD or CnP are. According to determine the type, respectively, the use of ROP to bypass DEP, stitching shellcode after the completion of the Trojan configuration.
CnP type object overflow using the structure:
Cover the object a virtual table of addresses that point to the fake virtual table, and then sends a CP command, the trigger virtual function call.
! [](/Article/UploadPic/2017-7/2017724171549799. png? www. myhack58. com)

Wherein SetGlobalPointer function to send unity. window. contents. start command, by the command specified in the parameters width and height, write a 64-bit stack migration gadget address.

! [](/Article/UploadPic/2017-7/2017724171549100. png? www. myhack58. com)
DnD type of object overflow using the structure:

! [](/Article/UploadPic/2017-7/2017724171549941. png? www. myhack58. com)
Send the payload to complete the configuration
! [](/Article/UploadPic/2017-7/2017724171550957. png? www. myhack58. com)

0x03 exploit the use of
The author in his github mentioned above, because there is no Windows LFH randomization process better, so did not achieve perfect utilization. During the test, the virtual machine does appear to use the unstable situation: a direct crash or pop up the computer after the virtual machine exit. Tested version: Vmware Workstation Pro 12.5.1 Build build-4542065 it.
（1）the pop-up calculator after.
! [](/Article/UploadPic/2017-7/2017724171550552. png? www. myhack58. com)

! [](/Article/UploadPic/2017-7/2017724171551299. png? www. myhack58. com)

[1] [2] next