Awesome

VMware Exploitation

A collection of links related to VMware escape exploits.

Pull requests are welcome.

Follow @andreyknvl on Twitter or @xairy@infosec.exchange on Mastodon to be notified of updates.

Research

2024

• "Chaining N-days to Compromise All": "Part 4 — VMware Workstation Information leakage", "Part 5 — VMware Workstation Guest-to-Host Escape" [articles]
• "Unveiling the Cracks in Virtualization, Mastering the Host System — VMware Workstation Escape" [slides]
• "Vulnerabilities found in VMWare by me" by Gabriel Durdiak [article]
• "URB Excalibur: The New VMware All-Platform VM Escapes" [slides]

2023

• "Rogue CDB: Escaping from VMware Workstation Through the Disk Controller" by Wenxu Yin [slides] [video]
• "CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver"

2021

• "From Binary Patch to Proof-of-concept: a VMware ESXi vmxnet3 Case Study" by Alisa Esage [article]

2020

• "Detailing Two VMware Workstation TOCTOU Vulnerabilities" by Reno Robert [article]
• "SpeedPwning VMware Workstation: Failing at Pwn2Own, but doing it fast" by Corentin Bayet and Bruno Pujos [slides]
• "Pwning VMware, Part 2: ZDI-19-421, a UHCI bug" [article]
• "CVE-2020-3947: Use-After-Free Vulnerability in the VMware Workstation DHCP Component" by KP Choubey [article]

2019

• "The Great Escape of ESXi" (36C3) [video] [slides]
• "Taking Control of VMware through the Universal Host Controller Interface: Part 1" by Abdul-Aziz Hariri [article]
• "Taking Control of VMware through the Universal Host Controller Interface: Part 2" by Abdul-Aziz Hariri [article]
• "Breaking Turtles All the Way Down: An Exploitation Chain to Break out of VMware ESXi" by Hanqing Zhao et al. [paper]

2018

• "Straight outta VMware: Modern exploitation of the SVGA device for guest-to-host escape exploits" by Zisis Sialveras [slides #1] [slides #2] [video] [paper] [article]
• "CVE-2018-6973 Analysis" by Bruno Botelho [article]
• "VMware Exploitation Through Uninitialized Buffers" by Abdul-Aziz Hariri [article]
• "Automating VMware RPC Request Sniffing" by Abdul-Aziz Hariri [article]
• "L'art de l'évasion" by Brian Gorenc, Abdul-Aziz Hariri and Jasiel Spelman (OffensiveCon) [video]
• "A bunch of Red Pills: VMware Escapes" by Marco Grassi, Azureyang, Jackyxty [article]
• "Wandering through the Shady Corners of VMware Workstation/Fusion" [article]
• "Modern VMWARE Exploitation Techniques" by Brian Gorenc, Jasiel Spelman, Abdul Aziz Hariri (Infiltrate) [video]

2017

• "VMware's Launch Escape System" by Abdul-Aziz Hariri [article]
• "Out of The Truman Show: VM escape in VMware gracefully" by Lei Shi and Mei Wang [slides]
• "VMware Escapology: How to Houdini The Hypervisor" by AbdulAziz Hariri and Joshua Smith [article] [video] [code]
• "Use-After-Silence: Exploiting a quietly patched UAF in VMware" by Abdul-Aziz Hariri [article]
• "Analyzing a Patch of a Virtual Machine Escape on VMware" by Yakun Zhang [article]
• "Leveraging VMware's RPC interface for fun and profit" (ZeroNights) [slides] [slides #2)] [video]
• "The Weak Bug - Exploiting a Heap Overflow in VMware" [article]
• "How to exploit cve 2017 4901" [article]
• "Escape from VMware Workstation by using "Hearthstone"" [slides]
• "The Great Escapes of VMware: A Retrospective Case Study of VMware Guest-to-Host Escape Vulnerabilities" by Debasish Mandal and Yakun Zhang (Blackhat Europe) [slides] [video]
• "Pythonizing the VMware Backdoor" by Abdul-Aziz Hariri [article]

2016

• "Windows Metafiles: An Analysis of the EMF Attack Surface & Recent Vulnerabilities" by Mateusz "j00ru" Jurczyk [slides]
• "50 Shades Of Fuzzing" by Peter Hlavaty and Marco Grassi [slides]

2015

• "Escaping VMware Workstation through COM1" by Kostya Kortchinsky [article]

2008

• "Cloudburst: A VMware Guest to Host Escape Story" by Kostya Kortchinsky [slides]

2007

• "An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments" by Tavis Ormandy [whitepaper]

Exploits

• https://www.exploit-db.com/search?q=vmware
• https://github.com/unamer/vmware_escape
• https://github.com/s0duku/cve-2022-31705

CTF tasks

• Real World CTF 2018 Finals (Station Escape): writeup 1, writeup 2

Misc

• https://www.vmware.com/security/advisories.html
• https://sites.google.com/site/chitchatvmback/backdoor
• https://github.com/vmware/open-vm-tools
• https://sourceforge.net/projects/vmware-svga
• http://sysprogs.com/legacy/articles/kdvmware/guestrpc.shtml

ZDI demos

• Demonstrating a VMware Guest-to-Host Escape
• Automating VMware RPC Request Sniffing
• Demonstration of Use-After-free Escalation in VMware
• CPython RPC Demonstration
• Demonstrating the vmware_copy_pirate Metasploit Post-Exploitation Module

Other lists

• WinMin/awesome-vm-exploit