Awesome
VMware Exploitation
A collection of links related to VMware escape exploits.
Pull requests are welcome.
Follow @andreyknvl on Twitter or @xairy@infosec.exchange on Mastodon to be notified of updates.
Research
2024
- "Chaining N-days to Compromise All": "Part 4 — VMware Workstation Information leakage", "Part 5 — VMware Workstation Guest-to-Host Escape" [articles]
- "Unveiling the Cracks in Virtualization, Mastering the Host System — VMware Workstation Escape" [slides]
- "Vulnerabilities found in VMWare by me" by Gabriel Durdiak [article]
- "URB Excalibur: The New VMware All-Platform VM Escapes" [slides]
2023
- "Rogue CDB: Escaping from VMware Workstation Through the Disk Controller" by Wenxu Yin [slides] [video]
- "CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver"
2021
2020
- "Detailing Two VMware Workstation TOCTOU Vulnerabilities" by Reno Robert [article]
- "SpeedPwning VMware Workstation: Failing at Pwn2Own, but doing it fast" by Corentin Bayet and Bruno Pujos [slides]
- "Pwning VMware, Part 2: ZDI-19-421, a UHCI bug" [article]
- "CVE-2020-3947: Use-After-Free Vulnerability in the VMware Workstation DHCP Component" by KP Choubey [article]
2019
- "The Great Escape of ESXi" (36C3) [video] [slides]
- "Taking Control of VMware through the Universal Host Controller Interface: Part 1" by Abdul-Aziz Hariri [article]
- "Taking Control of VMware through the Universal Host Controller Interface: Part 2" by Abdul-Aziz Hariri [article]
- "Breaking Turtles All the Way Down: An Exploitation Chain to Break out of VMware ESXi" by Hanqing Zhao et al. [paper]
2018
- "Straight outta VMware: Modern exploitation of the SVGA device for guest-to-host escape exploits" by Zisis Sialveras [slides #1] [slides #2] [video] [paper] [article]
- "CVE-2018-6973 Analysis" by Bruno Botelho [article]
- "VMware Exploitation Through Uninitialized Buffers" by Abdul-Aziz Hariri [article]
- "Automating VMware RPC Request Sniffing" by Abdul-Aziz Hariri [article]
- "L'art de l'évasion" by Brian Gorenc, Abdul-Aziz Hariri and Jasiel Spelman (OffensiveCon) [video]
- "A bunch of Red Pills: VMware Escapes" by Marco Grassi, Azureyang, Jackyxty [article]
- "Wandering through the Shady Corners of VMware Workstation/Fusion" [article]
- "Modern VMWARE Exploitation Techniques" by Brian Gorenc, Jasiel Spelman, Abdul Aziz Hariri (Infiltrate) [video]
2017
- "VMware's Launch Escape System" by Abdul-Aziz Hariri [article]
- "Out of The Truman Show: VM escape in VMware gracefully" by Lei Shi and Mei Wang [slides]
- "VMware Escapology: How to Houdini The Hypervisor" by AbdulAziz Hariri and Joshua Smith [article] [video] [code]
- "Use-After-Silence: Exploiting a quietly patched UAF in VMware" by Abdul-Aziz Hariri [article]
- "Analyzing a Patch of a Virtual Machine Escape on VMware" by Yakun Zhang [article]
- "Leveraging VMware's RPC interface for fun and profit" (ZeroNights) [slides] [slides #2)] [video]
- "The Weak Bug - Exploiting a Heap Overflow in VMware" [article]
- "How to exploit cve 2017 4901" [article]
- "Escape from VMware Workstation by using "Hearthstone"" [slides]
- "The Great Escapes of VMware: A Retrospective Case Study of VMware Guest-to-Host Escape Vulnerabilities" by Debasish Mandal and Yakun Zhang (Blackhat Europe) [slides] [video]
- "Pythonizing the VMware Backdoor" by Abdul-Aziz Hariri [article]
2016
- "Windows Metafiles: An Analysis of the EMF Attack Surface & Recent Vulnerabilities" by Mateusz "j00ru" Jurczyk [slides]
- "50 Shades Of Fuzzing" by Peter Hlavaty and Marco Grassi [slides]
2015
2008
2007
- "An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments" by Tavis Ormandy [whitepaper]
Exploits
- https://www.exploit-db.com/search?q=vmware
- https://github.com/unamer/vmware_escape
- https://github.com/s0duku/cve-2022-31705
CTF tasks
Misc
- https://www.vmware.com/security/advisories.html
- https://sites.google.com/site/chitchatvmback/backdoor
- https://github.com/vmware/open-vm-tools
- https://sourceforge.net/projects/vmware-svga
- http://sysprogs.com/legacy/articles/kdvmware/guestrpc.shtml
ZDI demos
- Demonstrating a VMware Guest-to-Host Escape
- Automating VMware RPC Request Sniffing
- Demonstration of Use-After-free Escalation in VMware
- CPython RPC Demonstration
- Demonstrating the vmware_copy_pirate Metasploit Post-Exploitation Module