CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/post/linux/dos/xen_420_dos.md
Views: 1904
This is a post exploitation module that exploits a memory corruption bug in Xen 4.2.0, causing a denial-of-service against the hypervisor from a guest VM. From the original advisory:
Downgrading the grant table version of a guest involves freeing its status pages. This freeing was incomplete - the page(s) are freed back to the allocator, but not removed from the domain's tracking list. This would cause list corruption, eventually leading to a hypervisor crash.
Mechanism
This module aims to be portable by building the exploit module on the target machine directly, building a malicious Linux Kernel Module (LKM) and inserting it into the kernel of the paravirtualized host. It is necessary to build the kernel module on the fly, since kernel ABIs are notoriously unstable and unlikely to work between multiple kernel versions.
This module is tested on Debian and Ubuntu hosts running various versions of Xen. Because the LKM is built at exploit-time, it requires that build tools and kernel headers for the currently-running kernel to exist on the target machine.
Scenarios
Failure (bad Xen version):
Success:
Future Work
A kernel module compilation mixin that works like the Dynamic Kernel Module Support (DKMS) framework, would be useful in order to allow other kernel-level exploits to be built as-needed. Supporting this using the Metasploit Post Exploitation API and supporting more Linux distributions would make similar exploits easier to build.