parallels-plist-escape

This repository contains exploits for CVE-2023-27327 and CVE-2023-27328, which can be used together to escape a Parallels Desktop virtual machine, prior to Parallels Desktop 18.1.1.

It also contains code for a required kernel module, in prl_mod, which can be used to send arbitrary Toolgate requests (< opcode 0x8000) from userland, using a proc entry created at /proc/driver/prl_tg_pwn.

Requirements

Root in the guest so you can load the kernel module
Parallels Tools installed - this is not strictly required if we have root in the guest, but the code here assumes it's present
At least one share mounted into the VM, it doesn't matter where this is on the host

Running the exploit

Build and load the kernel module:

cd prl_mod
make -f Makefile.kmods
sudo insmod ./prl_tg_pwn/Toolgate/Guest/Linux/prl_tg/prl_tg_pwn.ko

Run the exploit:

cd ..
pip install -r requirements.txt
./3_full_chain.py

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commits
prl_mod		prl_mod
toolgate		toolgate
1_write_file.py		1_write_file.py
2_plist_injection.py		2_plist_injection.py
3_full_chain.py		3_full_chain.py
README.md		README.md
pwn.dylib		pwn.dylib
requirements.txt		requirements.txt
smile.png		smile.png

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

prl_mod

prl_mod

toolgate

toolgate

1_write_file.py

1_write_file.py

2_plist_injection.py

2_plist_injection.py

3_full_chain.py

3_full_chain.py

README.md

README.md

pwn.dylib

pwn.dylib

requirements.txt

requirements.txt

smile.png

smile.png

Repository files navigation

parallels-plist-escape

Requirements

Running the exploit

About

Releases

Packages

Languages

kn32/parallels-plist-escape

Folders and files

Latest commit

History

Repository files navigation

parallels-plist-escape

Requirements

Running the exploit

About

Resources

Stars

Watchers

Forks

Languages