Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-2525 PoC — Oracle Virtualization VM VirtualBox 访问控制错误漏洞

Source
https://github.com/Phantomn/VirtualBox_CVE-2019-2525-CVE-2019-2548
Associated Vulnerability
Title:Oracle Virtualization VM VirtualBox 访问控制错误漏洞 (CVE-2019-2525)
Description:Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are prior to 5.2.24 and prior to 6.0.2. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 5.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N).
Readme
# VirtualBox 3D PoCs & exploits

*Author*: [@_niklasb](https://twitter.com/_niklasb)

[Overview article](https://phoenhex.re/2018-07-27/better-slow-than-sorry).

[License](https://github.com/niklasb/3dpwn/blob/master/LICENSE)

## Exploits

See the subdirectories other than `lib`.

## Debug build

For Arch Linux, you can use the provided PKGBUILD in `archpkg` to get a debug version of
5.2.18, with the 3D security fixes from July 2018 reverted.

## Library

`lib/hgcm.py` and `lib/chromium.py` provide high-level access to the HGCM interface and
to the `VBoxSharedCrOpenGL` service, via `VBoxGuest` IOCTLs.
`chromium.py` can be used to very easily experiment with Chromium from Python
inside the guest. I used it to build a very simple, completely dumb fuzzer that
found multiple trivial crashes in minutes.
File Snapshot

 [4.0K]  /data/pocs/a8d2795a2be0ebe2190c9abd5758e305e0db8cee
├── [4.0K]  archpkg
│   ├── [4.0K]  5.2.22_with_reverted_security_fixes
│   │   ├── [1.2K]  002-dri-driver-path.patch
│   │   ├── [ 872]  005-gsoap-build.patch
│   │   ├── [ 737]  006-rdesktop-vrdp-keymap-path.patch
│   │   ├── [ 698]  008-no-vboxvideo.patch
│   │   ├── [3.5K]  009-include-path.patch
│   │   ├── [ 625]  010-qt-5.11.patch
│   │   ├── [1.2K]  012-vboxsf-automount.patch
│   │   ├── [ 336]  013-assert.patch
│   │   ├── [ 573]  014-fixes.patch
│   │   ├── [ 16K]  015-revertogl.patch
│   │   ├── [ 776]  60-vboxdrv.rules
│   │   ├── [ 161]  60-vboxguest.rules
│   │   ├── [  58]  build.sh
│   │   ├── [ 894]  LocalConfig.kmk
│   │   ├── [ 500]  mount.vboxsf
│   │   ├── [ 17K]  PKGBUILD
│   │   ├── [ 378]  README.md
│   │   ├── [1.2K]  vboxreload
│   │   ├── [ 239]  vboxservice-nox.service
│   │   ├── [ 281]  vboxservice.service
│   │   ├── [ 221]  vboxweb.service
│   │   ├── [ 665]  virtualbox-ext-vnc.install
│   │   ├── [1.1K]  virtualbox-guest-dkms.conf
│   │   ├── [ 337]  virtualbox-guest-dkms.install
│   │   ├── [  15]  virtualbox-guest-utils.sysusers
│   │   ├── [1.1K]  virtualbox-host-dkms.conf
│   │   ├── [ 337]  virtualbox-host-dkms.install
│   │   ├── [ 327]  virtualbox.install
│   │   ├── [  18]  virtualbox.sysusers
│   │   └── [ 289]  virtualbox-vboxsf-dkms.conf
│   ├── [4.0K]  6.0.2_debug
│   │   ├── [1.2K]  002-dri-driver-path.patch
│   │   ├── [ 872]  005-gsoap-build.patch
│   │   ├── [ 665]  006-rdesktop-vrdp-keymap-path.patch
│   │   ├── [ 698]  008-no-vboxvideo.patch
│   │   ├── [3.5K]  009-include-path.patch
│   │   ├── [ 587]  011-python-3-7.patch
│   │   ├── [ 711]  012-vbglR3GuestCtrlDetectPeekGetCancelSupport.patch
│   │   ├── [ 336]  013-assert.patch
│   │   ├── [1.2K]  101-vboxsf-automount.patch
│   │   ├── [ 776]  60-vboxdrv.rules
│   │   ├── [ 161]  60-vboxguest.rules
│   │   ├── [  58]  build.sh
│   │   ├── [ 997]  LocalConfig.kmk
│   │   ├── [ 500]  mount.vboxsf
│   │   ├── [ 16K]  PKGBUILD
│   │   ├── [1.2K]  vboxreload
│   │   ├── [ 239]  vboxservice-nox.service
│   │   ├── [ 281]  vboxservice.service
│   │   ├── [ 221]  vboxweb.service
│   │   ├── [ 665]  virtualbox-ext-vnc.install
│   │   ├── [1.1K]  virtualbox-guest-dkms.conf
│   │   ├── [ 337]  virtualbox-guest-dkms.install
│   │   ├── [  15]  virtualbox-guest-utils.sysusers
│   │   ├── [1.1K]  virtualbox-host-dkms.conf
│   │   ├── [ 337]  virtualbox-host-dkms.install
│   │   ├── [ 327]  virtualbox.install
│   │   ├── [  18]  virtualbox.sysusers
│   │   └── [ 298]  virtualbox-vboxsf-dkms.conf
│   └── [ 171]  README.md
├── [4.0K]  CVE-2018-3055+3085
│   ├── [8.8K]  exploit.py
│   ├── [2.8K]  README.md
│   └── [1.3K]  trigger-CVE-2018-3085.py
├── [4.2K]  ex.py
├── [4.0K]  lib
│   ├── [2.5K]  chromium.py
│   ├── [2.8K]  chromium.pyc
│   ├── [ 11K]  hgcm.py
│   ├── [6.4K]  hgcm.pyc
│   ├── [ 20K]  opcodes.py
│   └── [ 25K]  opcodes.pyc
├── [1.5K]  LICENSE
└── [ 810]  README.md

5 directories, 71 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →