The content of this repository is meant to be the official release of the tooling/exploit that was discussed during the OffensiveCon 2019 talk - 3D Accelerated Exploitation. The talk dealt with research into the VirtualBox 3D Acceleration feature, which is backed by a software component called Chromium.
The talk can be found here.
The harness implements an interface useful for experimenting with 3D acceleration outside of VirtualBox. Essentially, the host library makes it possible to write code that interacts with the Chromium server in a very similar way code would from a guest operating system. Ideally, experimental/exploit code can then be taken and added to the guest library that implements this interface as a guest would, and should work exactly the same. A high level overview of the implementation is shown below.
| Interface | Host | Guest |
|---|---|---|
| vbox3d::connect | crVBoxServerAddClient | VBGLIOCHGCMCONNECT |
| vbox3d::disconnect | crVBoxServerRemoveClient | VBGLIOCHGCMDISCONNECT |
| vbox3d::hgcm_call | svcCall |
VBGLIOCHGCMCALL |
The implementation behind the host libraries is performed using exported methods from the VBoxSharedCrOpenGL.dll module, except for svcCall, which is obtained by initialising the VBoxSharedCrOpenGL service in a specific way, by using the VBoxHGCMSvcLoad export.
The guest library implements the interface by communicating with the guest additions device file (only Linux supported).
For the host libraries to work (against production or debug), the following modules need to be in the same directory as the executable:
VBoxSharedCrOpenGL.dllVBoxREM.dllVBoxRT.dllVBoxVMM.dllVBoxOGLhostcrutil.dllVBoxOGLhosterrorspu.dllVBoxOGLrenderspu.dll
The host libraries have only been written for Windows. The repository contains a simple script, build.bat, that compiles the code. This script was intended to be run from the Native Tools command prompt that comes with Visual Studio when adding C++ as a language.
The guest libraries have been written for Linux guests. However, compared to the host libraries, it should be significantly easier to port the code for Windows guests. This repository includes a makefile for building the guest exploit/binary.
Obtaining a pointer to svcCall relies on the size of the VBOXHGCMSVCFNTABLE struct, and the offset to svcCall within this struct. The library has only been tested against VirtualBox 5.2.22/24.
The release of the fuzzing toolkit is minimal, with sample harnesses and some information on how to compile VirtualBox with American Fuzzy Lop. By "some" it is meant that VirtualBox build dependencies aren't covered in this writeup.
The exploit code in offensivecon2019 contain the code exploiting the libraries on the host operating system (see exploit-dev-harness) and the guest operating system. The exploit uses CVE-2019-2525 to leak an address that gets used to bypass ASLR, and then CVE-2019-2548 to obtain an arbitrary write primitive.