VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation
A vulnerability within the VBoxGuest driver allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest Additions up to 4.3.10r93012.
- Matt Bergin <level [at] korelogic.com>
- Jay Smith <jsmith [at] korelogic.com>
- Windows XP SP3
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/local/virtual_box_guest_additions msf exploit(virtual_box_guest_additions) > show targets ...targets... msf exploit(virtual_box_guest_additions) > set TARGET <target-id> msf exploit(virtual_box_guest_additions) > show options ...show and set options... msf exploit(virtual_box_guest_additions) > exploit