This repository contains some of the Hyper-V related work I did in the past...
My code from the "Inside Hyper-V" of the Gray Hat Hacking book (6th edition).
Original repository: https://github.com/GrayHatHacking/GHHv6.git
Includes a framework that can be used to perform hypervisor research/fuzzing and hyper-v specific code (hypercalls, MSRs, VMBus communication).
Windbg script that can be used when debugging hvix64 and provides the following features:
- Dumping VMCS contents.
- Dumping EPT tables.
- GPA -> SPA translation.
- Conditional breakpoints on VMExit conditions:
- Use
!brexit conditions. - Where
conditionsis a in the formcondition1 condition2 .. conditionN. - Each condition consists of 3 parts (in the described order and without space between them):
- A VMCS field name (for example
VM_EXIT_REASON) - A condition code: any of
==,!=,<=,>=,<,>. - An integer value.
- A VMCS field name (for example
- Use
Proof of concept for Hyper-V stack overflow bug (hvix64).
Advisory: https://labs.bluefrostsecurity.de/advisories/bfs-sa-2020-001/
Proof of concept for Hyper-V NULL deref bug (hvix64).
Advisory: https://labs.bluefrostsecurity.de/advisories/bfs-sa-2020-002/
Proof of concept for Hyper-V type confusion bug (hvix64).
Advisory: https://labs.bluefrostsecurity.de/advisories/bfs-sa-2020-003/
Proof of concept for Hyper-V arbitrary memory read bug (vmswitch).
Advisory: https://labs.bluefrostsecurity.de/advisories/bfs-sa-2021-001/
Original repository: https://github.com/bluefrostsecurity/CVE-2021-28476
Notes:
- This bug was classified as RCE, learn why here.
- This bug has also been presented by other researchers: https://www.youtube.com/watch?v=ALcm6pmR8ck
- In the advisory I included other OOB read bugs I found but no CVEs were assigned to them.