Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-2119 PoC — Oracle Virtualization 安全漏洞

Source
https://github.com/Sauercloud/RWCTF21-VirtualBox-61-escape
Associated Vulnerability
Title:Oracle Virtualization 安全漏洞 (CVE-2021-2119)
Description:Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Description
0day VirtualBox 6.1.2 Escape for RealWorld CTF 2020/2021 CVE-2021-2119
Readme
# RWCTF21-VirtualBox-61-escape

0day VirtualBox 6.1 Escape for RealWorld CTF 2020/2021

## Demo 

[![Exploit Demo](images/thumbnail.png)](https://youtu.be/mjKxafMbpS0)

## What?

This is our solution for RealWorld CTF's "Box Escape" challenge from the 2020/2021 quals. ~~Currently a 0day but we'll add the CVE number once there is one.~~ CVE-2021-2119


## How does it work?

We wrote a blogpost describing the vulnerabilities and our exploit techniques. You can find it [here](https://secret.club/2021/01/14/vbox-escape.html).

## How to protect yourself?

Until the release build of VirtualBox is patched disable SCSI.

## Credits

Writing this exploit was a joint effort of a bunch of people. 

- ESPR's [spq](https://twitter.com/__spq__), [tsuro](https://twitter.com/_tsuro) and [malle](https://twitter.com/fktio) who don't need an introduction :D

- My ALLES! teammates and windows experts Alain Rödel aka [0x4d5a](https://twitter.com/0x4d5aC) and Felipe Custodio Romero aka [localo](https://twitter.com/_localo_)

- [niklasb](https://twitter.com/_niklasb) for his [prior work](https://github.com/niklasb/sploits/tree/master/virtualbox/hgcm-oob/) and for some helpful pointers! 

> "A ROP chain a day keeps the doctor away. Immer dran denken, hat mein Opa immer gesagt."

~ *Niklas Baumstark (2021)*

- myself, Ilias Morad aka [A2nkF](https://twitter.com/A2nkF_) :)

I had the pleasure of working with this group of talented people over the course of multiple sleepless nights and days during and even after the CTF was already over just to get the exploit working properly on a release build of VirtualBox and to improve stability. This truly shows what a small group of dedicated people is able to achieve in an incredibly short period of time if they put their minds to it! I'd like to thank every single one of you :D
File Snapshot

 [4.0K]  /data/pocs/85fdb134b7051fb30a93dc555e73584c035a6b8a
├── [4.0K]  images
│   └── [946K]  thumbnail.png
├── [4.0K]  kernel_drivers
│   ├── [ 371]  CMakeLists.txt
│   ├── [5.6K]  Common.h
│   ├── [1.4K]  exploit_driver.inf
│   ├── [7.8K]  HackSysExtremeVulnerableDriver.c
│   ├── [6.2K]  HackSysExtremeVulnerableDriver.h
│   ├── [ 14K]  HackSysExtremeVulnerableDriver.vcxproj
│   ├── [1.7K]  HackSysExtremeVulnerableDriver.vcxproj.filters
│   ├── [ 691]  HackSysExtremeVulnerableDriver.vcxproj.user
│   ├── [2.6K]  HEVD.pfx
│   ├── [7.7K]  ioctls.c
│   ├── [2.9K]  ioctls.h
│   └── [ 12K]  rwctf_driver.sln
├── [ 32K]  LICENSE
├── [1.8K]  README.md
└── [4.0K]  userspace
    ├── [9.4K]  common.cpp
    ├── [1.5K]  common.h
    ├── [5.3K]  memory.h
    ├── [2.6K]  ntdll_defs.h
    ├── [ 17K]  ntdll_undocnt.h
    ├── [ 23K]  userspace.cpp
    ├── [7.4K]  userspace.vcxproj
    ├── [1.5K]  userspace.vcxproj.filters
    ├── [ 168]  userspace.vcxproj.user
    └── [ 10K]  vmm.h

3 directories, 25 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →