Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

VMWare ESXi is a bare-metal hypervisor. The component being attacked was the service location protocol (SLP). This is a network service that listens on TCP and UDP on default installations. This serice runs as root without authentication.

First, a use after free (UAF) exists while parsing an SLPMessage. The message pointer is added to a database but then freed with specific code paths from the call.

The second bug stems from improper use of strstr. This function is used in order to find a needle in a haystack (substring search). During the usage of it in VMWare on a URL, the string being parsed is NOT properly NULLed. Because of this, a memcpy later uses an improper size that leads to a buffer overflow.

To actually get code execution from this buffer overflow requires a lot more work though. It appears that no NULL bytes can be written using the current overflow, so the author wanted to upgrade the bug using the original bug.

The SLP uses a struct called SLPBuffer to handle events it sends and receives, where a sendbuf and a recvbuf are made for each socket connection. The goal is to overwrite a length value in this struct to eventually leak memory.

With the NULL limitation, it is not so simple to overwrite the size in the struct to leak memory; some heap feng shui must be done first on GLibC Malloc. The author puts in a hole just below the target chunk. Using the heap overflow, we change the size of the next chunk to overlap with our target chunk. Once this overlap occurs, we can now overwrite the target with NULLbytes and get leaks via the receiving buffer.

The author ran into an issue with calloc. Calloc is just like malloc except that the parameters are slightly different and all values are NULLed out during allocation. In order to get around this, the author sets the is_mmap chunk bit so that calloc does not overwrite with all 0s.

The author has a nice step-by-step for this happens. The only new thing is how a shell is popped. The author gets an mmap address to be leaked, which can be used to infer the location of LibC. With this, the curpos of a connection can be written to get an arbitrary write primitive. With this, overwrite the __free_hook to hijack the flow to start a ROP chain.

The analysis of the heap grooming here was really awesome. Sometimes, a buffer overflow without NULLbytes feels like a death sentence. But, proper heap feng shui can be used to create a leak and then a more powerful primitive. Additionally, the author references libraries that are open source that VMWare uses but did NOT fix. Reversing is hard but finding similar libraries can make life easier.