Embed Size (px)
Citation preview
Virtual DoS is usefulPeter Kamensky
@Python0x0
Defcon Russia 0x16
WhoAmI
•
•
Agenda
•
•
•
•
•
VMWare VM theory notes
VMWare Backdoor I/O
•
•
•
•
VMWare GuestRPC
•
•
•
•
GuestRPC work scheme
Open Channel Send length Send data
Get return data length
Receive data End of receive Close channel
GuestRPC packet example
VMWare VM main loop
VMM vmx86/ESXi-kernelGuest VMBackdoor I/O UserRPC
user-mode
vmware-vmx
main vm-loopI/O UserRPC
handlerGuestRPChandler
IOCTL/syscall
BackDoor I/O handler
Fuzzing GuestRPC
Grab GuestRPC commands
•
•
•http://pastebin.com/HWGtfy3G
Create a simple fuzzer
•
•
•
•
HGFS DoS bugs
Host Guest File System
•
• “ ”
•
HGFS #1
•
•
•
HGFS #2
•
•
•
SetGuestInfo memory leak
SetGuestInfo
•
• “ ”
Host memory abuse
Impact
•
•
•
VMWare fixes
•
•
How to Use?
Countermeasure to AV sandbox system
•
•
•
Obvious steps
•
•
•
Not so easy
•
•
•
•
•
Never Fixed VMWare behavior
•
•
•http://www.piotrbania.com/all/adv/vmware-io-adv.txt
RWEverything
•
•
•
•http://rweverything.com/
NOT_IMPLEMENTED+RWEverything
•
•
•
•
Conclusion
•
•
•
Questions?
