Home

Awesome

3D Accelerated Exploitation

The content of this repository is meant to be the official release of the tooling/exploit that was discussed during the OffensiveCon 2019 talk - 3D Accelerated Exploitation. The talk dealt with research into the VirtualBox 3D Acceleration feature, which is backed by a software component called Chromium.

The talk can be found here.

exploit-dev-harness

tldwtt;

The harness implements an interface useful for experimenting with 3D acceleration outside of VirtualBox. Essentially, the host library makes it possible to write code that interacts with the Chromium server in a very similar way code would from a guest operating system. Ideally, experimental/exploit code can then be taken and added to the guest library that implements this interface as a guest would, and should work exactly the same. A high level overview of the implementation is shown below.

InterfaceHostGuest
vbox3d::connectcrVBoxServerAddClientVBGLIOCHGCMCONNECT
vbox3d::disconnectcrVBoxServerRemoveClientVBGLIOCHGCMDISCONNECT
vbox3d::hgcm_callsvcCallVBGLIOCHGCMCALL

The implementation behind the host libraries is performed using exported methods from the VBoxSharedCrOpenGL.dll module, except for svcCall, which is obtained by initialising the VBoxSharedCrOpenGL service in a specific way, by using the VBoxHGCMSvcLoad export.

The guest library implements the interface by communicating with the guest additions device file (only Linux supported).

dependencies

For the host libraries to work (against production or debug), the following modules need to be in the same directory as the executable:

build process

The host libraries have only been written for Windows. The repository contains a simple script, build.bat, that compiles the code. This script was intended to be run from the Native Tools command prompt that comes with Visual Studio when adding C++ as a language.

The guest libraries have been written for Linux guests. However, compared to the host libraries, it should be significantly easier to port the code for Windows guests. This repository includes a makefile for building the guest exploit/binary.

what could go wrong?

Obtaining a pointer to svcCall relies on the size of the VBOXHGCMSVCFNTABLE struct, and the offset to svcCall within this struct. The library has only been tested against VirtualBox 5.2.22/24.

fuzzer

The release of the fuzzing toolkit is minimal, with sample harnesses and some information on how to compile VirtualBox with American Fuzzy Lop. By "some" it is meant that VirtualBox build dependencies aren't covered in this writeup.

offensivecon2019

The exploit code in offensivecon2019 contain the code exploiting the libraries on the host operating system (see exploit-dev-harness) and the guest operating system. The exploit uses CVE-2019-2525 to leak an address that gets used to bypass ASLR, and then CVE-2019-2548 to obtain an arbitrary write primitive.