VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation
A vulnerability within the VBoxGuest driver allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest Additions up to 4.3.10r93012.
Module Name
exploit/windows/local/virtual_box_guest_additions
Authors
- Matt Bergin <level [at] korelogic.com>
- Jay Smith <jsmith [at] korelogic.com>
References
Targets
- Windows XP SP3
Platforms
- windows
Architectures
- x86
Reliability
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/local/virtual_box_guest_additions
msf exploit(virtual_box_guest_additions) > show targets
...targets...
msf exploit(virtual_box_guest_additions) > set TARGET <target-id>
msf exploit(virtual_box_guest_additions) > show options
...show and set options...
msf exploit(virtual_box_guest_additions) > exploit