Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vm ware fuzzing - defcon russia 20

2,353 views

Published on

http://defcon-russia.ru

Published in: Technology
  • Be the first to comment

Vm ware fuzzing - defcon russia 20

  1. 1. Virtual DoS is useful Peter Kamensky @Python0x0 Defcon Russia 0x16
  2. 2. WhoAmI • •
  3. 3. Agenda • • • • •
  4. 4. VMWare VM theory notes
  5. 5. VMWare Backdoor I/O • • • •
  6. 6. VMWare GuestRPC • • • •
  7. 7. GuestRPC work scheme Open Channel Send length Send data Get return data length Receive data End of receive Close channel
  8. 8. GuestRPC packet example
  9. 9. VMWare VM main loop VMM vmx86/ESXi-kernelGuest VM Backdoor I/O UserRPC user-mode vmware-vmx main vm-loop I/O UserRPC handler GuestRPC handler IOCTL/syscall BackDoor I/O handler
  10. 10. Fuzzing GuestRPC
  11. 11. Grab GuestRPC commands • • • http://pastebin.com/HWGtfy3G
  12. 12. Create a simple fuzzer • • • •
  13. 13. HGFS DoS bugs
  14. 14. Host Guest File System • • “ ” •
  15. 15. HGFS #1 • • •
  16. 16. HGFS #2 • • •
  17. 17. SetGuestInfo memory leak
  18. 18. SetGuestInfo • • “ ”
  19. 19. Host memory abuse
  20. 20. Impact • • •
  21. 21. VMWare fixes • •
  22. 22. How to Use?
  23. 23. Countermeasure to AV sandbox system • • •
  24. 24. Obvious steps • • •
  25. 25. Not so easy • • • •  •
  26. 26. Never Fixed VMWare behavior • • • http://www.piotrbania.com/all/adv/vmware-io-adv.txt
  27. 27. RWEverything • • • • http://rweverything.com/
  28. 28. NOT_IMPLEMENTED+RWEverything • • • •
  29. 29. Conclusion • • •
  30. 30. Questions?

×