Examine a powerful vulnerability in Hyper-V's emulated storage component and learn how it was exploited on Windows Server 2012R2 in this 50-minute Black Hat conference talk. Explore the bug's discovery, constraints, and memory layout before witnessing a live demonstration. Delve into various exploitation techniques, including attempts on Windows 10 1709, RPC server calls, and memory copy gadgets. Analyze the raw payload and its demo, followed by insights into the VM Worker process. Conclude with valuable lessons on language safety, bug elimination, and virtualization sandboxing in this comprehensive exploration of Hyper-V security.
Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine
Overview
Syllabus
Intro
The story of the vulnerability
The bug
Constraints
Memory Layout
Demo
Windows 10 1709
Ideas
First Attempt
VideoDirtListener
Looping in Direct Caller
RPC Server Call2
MemCopy Gadget
Strategy
Raw payload
Raw payload demo
Second payload
VM Worker
Lessons Learned
Language Safety
Bug Elimination
Virtualization Sandbox
Outro
Taught by
Black Hat
