Over the past month or so, I have shared "URB Excalibur: The New VMware All-Platform VM Escapes" with
@0x140ce
at two conferences.
Now both slides are already public (basically same),
CanSecWest 2024:
BlackHat Asia 2024:
Here is my demo of the VM escape exploit on the latest version of VMware Fusion along with ESXi and Workstation. It was used to participate in GeekPwn 2022 and won the championship.
I’m so surprised and honored to win 🏆
@PwnieAwards
for Best Privilege Escalation for my VMware VM escapes research last year🥳🥳. We have submitted our research to BlackHat EU and hope we can share with you on it.
Successfully bypassing the ArrayBuffer isolation in Adobe Reader and completing the fullchain with
@ezrak1e
, I will have the opportunity to share with how to perform heap layout under ArrayBuffer isolation and how my vul can reuse the ArrayBuffer as an arbitrary R/W primitive.
Fourth time to participate in organizing D^3CTF, but the first time to create a challenge. Very happy that someone thinks RealESXi is the best challenge this year.
@0xhatim
@c3rb3ru5d3d53c
Do you mean Parallels Desktop? It definitely doesn't work, because they are different software. But they should have the same attack vector.
Thanks to Moesang and e99p1ant for helping me build the ESXi container environment, through cluster->docker->qemu->esxi, so it can be dynamically created and destroyed.
@PwnieAwards
Much thanks for nominating my VMware VM escape, but there was a mistake that we demonstrated VMware Fusion escape on
@GeekPwn
2022 not pwn2own. I emailed ian 10 days ago but you seem to have missed it😢