VMware Escape Exploit

vendor:

WorkStation

by:

unamer

9,9

CVSS

CRITICAL

Escape Exploit

119

CWE

Product Name: WorkStation

Affected Version From: VMware WorkStation 12.5.5 and before

Affected Version To: VMware WorkStation 12.5.2 build-4638234

Patch Exists: YES

Related CWE: CVE-2017-4901

CPE: a:vmware:workstation

Metasploit: https://www.rapid7.com/db/vulnerabilities/vmsa-2017-0005-cve-2017-4901-player/, https://www.rapid7.com/db/vulnerabilities/vmsa-2017-0005-cve-2017-4901-workstation/, https://www.rapid7.com/db/vulnerabilities/vmsa-2017-0005-cve-2017-4901-fusion/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win10 x64

2017

This exploit is related to VMware WorkStation 12.5.5 and before. It is a heap manipulation exploit which can cause host process crash. It is tested on Win10 x64 and VMware 12.5.2 build-4638234.

Mitigation:

Upgrade to the latest version of VMware WorkStation 12.5.5

Source

Exploit-DB raw data:

# VMware Escape Exploit

VMware Escape Exploit before VMware WorkStation 12.5.5

Host Target: Win10 x64

Compiler: VS2013 

Test on VMware 12.5.2 build-4638234

# Known issues

* Failing to heap manipulation causes host process crash.
* Not quite elaborate because I'm not good at doing heap "fengshui" on winows LFH.

# FAQ

* Q: Error in reboot vmware after crashing process.
* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.


![](https://github.com/unamer/vmware_escape/raw/master/cve-2017-4901/exp.gif)


EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47714.zip