Skip to content

s0duku/cve-2022-31705

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2022-31705

Intro

Example

  • use 'lsusb' to determine the device id, use the device id to set 'qh->field4'

  • vmx code will alloc a struct with 0x18 size (the size can be controlled in the code) buffer for reading guest physical memory.

  • the total size of this struct will be 0x400

  • address of this struct is 0x26d6caa80d0

  • in the end, vmx will read 0x800 size (can be controlled in the code) of physical memory into 0x2606CAA84C0, which is the last 0x10 byte of 0x26d6caa80d0 (first 0x8 is already readed at the alloc stage)

  • for sure, it will cause a OOB write.

About

CVE-2022-31705 (Geekpwn 2022 Vmware EHCI OOB) POC

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published