LEARNING FOR LIFE

Get Yourself a Better Life! Free eLearning Download

Home » Ebooks & Tutorials » Technical » OS & Server » ZeroDayEngineering – Advanced Exploitation of Simple Bugs

ZeroDayEngineering – Advanced Exploitation of Simple Bugs

Leave a Comment


ZeroDayEngineering – Advanced Exploitation of Simple Bugs
English | Size: 170 MB
Genre: eLearning

At Pwn2Own Vancouver 2021 I have demonstrated an 0day VM escape exploit for Parallels Desktop hypervisor. The exploit chain that I developed was based on logic issues. In this deep technical presentation I will share the technical details of the exploit, as well as various preliminary and contextual knowledge related to it.
Logic security vulnerabilities (ie those that can be exploited without any memory corruptions) are becoming increasingly important in offensive security research right now, as Rust and other memory-safe programming languages ​​are rapidly taking over popular code bases. When evaluating the attack surface of Parallels Desktop, as an expert in both hypervisors and memory corruption bugs, I saw many opportunities for classical buffer overflows, but chose to try and find a logic bug instead. As hypervisors are ultra-complex low level software, exploitable logic bugs in them are extremely rare. I was lucky to find such a “one of a kind” bug.
Despite the bug was quite simple, the exploit turned out to be not so easy. Exploitation of the bug required me to develop a kernel module for the guest OS from which I was escaping, reverse-engineer some internal RPC protocol of the hypervisor, and emulate it in the exploit code. Eventually the exploit was 100% reliable by design, and executed arbitrary code on the Mac host. During the Pwn2Own competitions it came as a surprise that my exploit did not meet any collisions with other competition entries. Because the bug itself was quite easy, I expected that at least one participant would find and utilize it independently in their own Pwn2Own exploit. But it didn’t happen. That made me aware of the fact that a bug that looks easy does not necessarily imply an easy discovery or an easy exploitation process, an estimation which is very important for strategic aspects of offensive security research.

Syllabus
Relevant Theory
Hypervisor Threat Model
Guest Services
Protocols & Tech
Parallels Desktop
Architecture & Internals
Parallels Toolgate RE
Guest Additions
The Bug
The Exploit

DOWNLOAD FROM RAPIDGATOR

https://rapidgator.net/file/ec8a080ef345ecce3b73f7b672948980/AdvancedExploitationofSimpleBugs-aParallelsDesktopCaseStudyPwn2Own2021.rar.html

DOWNLOAD FROM TURBOBIT

https://tbit.to/cnkmlkthqkm2/AdvancedExploitationofSimpleBugs-aParallelsDesktopCaseStudyPwn2Own2021.rar.html

If any links die or problem unrar, send request to
https://forms.gle/e557HbjJ5vatekDV9

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.