Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-2119 PoC — Oracle Virtualization 安全漏洞

Source
https://github.com/Sauercloud/RWCTF21-VirtualBox-61-escape
Associated Vulnerability
Title:Oracle Virtualization 安全漏洞 (CVE-2021-2119)
Description:Oracle Virtualization是美国甲骨文(Oracle)公司的一套虚拟化解决方案。该产品用于统一管理从应用程序到磁盘的整个硬件和软件体系,可实现从桌面到数据中心的虚拟化。 Oracle Virtualization 的 Oracle VM VirtualBox 存在安全漏洞,该漏洞允许高特权攻击者登录到Oracle VM VirtualBox执行的基础设施,从而破坏Oracle VM VirtualBox。以下产品及版本受到影响:Oracle VM VirtualBox--Core--Pri
Description
0day VirtualBox 6.1.2 Escape for RealWorld CTF 2020/2021 CVE-2021-2119
Readme
# RWCTF21-VirtualBox-61-escape

0day VirtualBox 6.1 Escape for RealWorld CTF 2020/2021

## Demo 

[![Exploit Demo](images/thumbnail.png)](https://youtu.be/mjKxafMbpS0)

## What?

This is our solution for RealWorld CTF's "Box Escape" challenge from the 2020/2021 quals. ~~Currently a 0day but we'll add the CVE number once there is one.~~ CVE-2021-2119


## How does it work?

We wrote a blogpost describing the vulnerabilities and our exploit techniques. You can find it [here](https://secret.club/2021/01/14/vbox-escape.html).

## How to protect yourself?

Until the release build of VirtualBox is patched disable SCSI.

## Credits

Writing this exploit was a joint effort of a bunch of people. 

- ESPR's [spq](https://twitter.com/__spq__), [tsuro](https://twitter.com/_tsuro) and [malle](https://twitter.com/fktio) who don't need an introduction :D

- My ALLES! teammates and windows experts Alain Rödel aka [0x4d5a](https://twitter.com/0x4d5aC) and Felipe Custodio Romero aka [localo](https://twitter.com/_localo_)

- [niklasb](https://twitter.com/_niklasb) for his [prior work](https://github.com/niklasb/sploits/tree/master/virtualbox/hgcm-oob/) and for some helpful pointers! 

> "A ROP chain a day keeps the doctor away. Immer dran denken, hat mein Opa immer gesagt."

~ *Niklas Baumstark (2021)*

- myself, Ilias Morad aka [A2nkF](https://twitter.com/A2nkF_) :)

I had the pleasure of working with this group of talented people over the course of multiple sleepless nights and days during and even after the CTF was already over just to get the exploit working properly on a release build of VirtualBox and to improve stability. This truly shows what a small group of dedicated people is able to achieve in an incredibly short period of time if they put their minds to it! I'd like to thank every single one of you :D
File Snapshot

 [4.0K]  /data/pocs/85fdb134b7051fb30a93dc555e73584c035a6b8a
├── [4.0K]  images
│   └── [946K]  thumbnail.png
├── [4.0K]  kernel_drivers
│   ├── [ 371]  CMakeLists.txt
│   ├── [5.6K]  Common.h
│   ├── [1.4K]  exploit_driver.inf
│   ├── [7.8K]  HackSysExtremeVulnerableDriver.c
│   ├── [6.2K]  HackSysExtremeVulnerableDriver.h
│   ├── [ 14K]  HackSysExtremeVulnerableDriver.vcxproj
│   ├── [1.7K]  HackSysExtremeVulnerableDriver.vcxproj.filters
│   ├── [ 691]  HackSysExtremeVulnerableDriver.vcxproj.user
│   ├── [2.6K]  HEVD.pfx
│   ├── [7.7K]  ioctls.c
│   ├── [2.9K]  ioctls.h
│   └── [ 12K]  rwctf_driver.sln
├── [ 32K]  LICENSE
├── [1.8K]  README.md
└── [4.0K]  userspace
    ├── [9.4K]  common.cpp
    ├── [1.5K]  common.h
    ├── [5.3K]  memory.h
    ├── [2.6K]  ntdll_defs.h
    ├── [ 17K]  ntdll_undocnt.h
    ├── [ 23K]  userspace.cpp
    ├── [7.4K]  userspace.vcxproj
    ├── [1.5K]  userspace.vcxproj.filters
    ├── [ 168]  userspace.vcxproj.user
    └── [ 10K]  vmm.h

3 directories, 25 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.