{"id":13539084,"url":"https://github.com/xairy/vmware-exploitation","last_synced_at":"2026-01-27T23:47:24.886Z","repository":{"id":44967610,"uuid":"160637103","full_name":"xairy/vmware-exploitation","owner":"xairy","description":"A collection of links related to VMware escape exploits","archived":false,"fork":false,"pushed_at":"2024-09-04T14:49:05.000Z","size":31,"stargazers_count":1394,"open_issues_count":0,"forks_count":210,"subscribers_count":66,"default_branch":"master","last_synced_at":"2025-02-01T09:15:42.318Z","etag":null,"topics":["vmware-exploitation"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xairy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-12-06T07:35:50.000Z","updated_at":"2025-01-31T14:34:58.000Z","dependencies_parsed_at":"2024-06-04T01:40:25.114Z","dependency_job_id":"9c4b86d5-8c41-4832-a60e-07257e0fbbaa","html_url":"https://github.com/xairy/vmware-exploitation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xairy%2Fvmware-exploitation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xairy%2Fvmware-exploitation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xairy%2Fvmware-exploitation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xairy%2Fvmware-exploitation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xairy","download_url":"https://codeload.github.com/xairy/vmware-exploitation/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245779446,"owners_count":20670684,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["vmware-exploitation"],"created_at":"2024-08-01T09:01:20.012Z","updated_at":"2026-01-27T23:47:19.844Z","avatar_url":"https://github.com/xairy.png","language":null,"readme":"VMware Exploitation\n===================\n\nA collection of links related to VMware escape exploits.\n\nPull requests are welcome.\n\nFollow [@andreyknvl](https://twitter.com/andreyknvl) on Twitter or [@xairy@infosec.exchange](https://infosec.exchange/@xairy) on Mastodon to be notified of updates.\n\n## Research \n\n### 2024\n\n- \"Chaining N-days to Compromise All\": [\"Part 4 — VMware Workstation Information leakage\"](https://blog.theori.io/chaining-n-days-to-compromise-all-part-4-vmware-workstation-information-leakage-44476b05d410), [\"Part 5 — VMware Workstation Guest-to-Host Escape\"](https://blog.theori.io/chaining-n-days-to-compromise-all-part-5-vmware-workstation-host-to-guest-escape-5a1297e431b5) [articles]\n- [\"Unveiling the Cracks in Virtualization, Mastering the Host System — VMware Workstation Escape\"](https://i.blackhat.com/Asia-24/Presentations/Asia-24-VictorV-Unveiling-the-Cracks-in-Virtualization-Mastering-the-Host-System.pdf) [slides]\n- [\"Vulnerabilities found in VMWare by me\" by Gabriel Durdiak](https://gabrieldurdiak.github.io/vmwarevuln/) [article]\n- [\"URB Excalibur: The New VMware All-Platform VM Escapes\"](https://i.blackhat.com/Asia-24/Presentations/Asia-24-Jiang-URB-Excalibur-The-New-VMware-All-Platform-VM-Escapes.pdf) [slides]\n\n### 2023\n\n- [\"Rogue CDB: Escaping from VMware Workstation Through the Disk Controller\" by Wenxu Yin](https://conference.hitb.org/hitbsecconf2023hkt/materials/D1T2%20-%20Rogue%20CDB%20Escaping%20from%20VMware%20Workstation%20Through%20the%20Disk%20Controller%20-%20Wenxu%20Yin.pdf) [slides] [[video](https://www.youtube.com/watch?v=_PfuJN-I8-8)]\n- [\"CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver\"](https://www.zerodayinitiative.com/blog/2023/5/17/cve-2023-2086920870-exploiting-vmware-workstation-at-pwn2own-vancouver)\n\n### 2021\n\n- [\"From Binary Patch to Proof-of-concept: a VMware ESXi vmxnet3 Case Study\" by Alisa Esage](https://zerodayengineering.com/research/vmware-esxi-vmxnet3-from-patch-to-poc.html) [article]\n\n### 2020\n\n- [\"Detailing Two VMware Workstation TOCTOU Vulnerabilities\" by Reno Robert](https://www.zerodayinitiative.com/blog/2020/10/22/detailing-two-vmware-workstation-toctou-vulnerabilities) [article]\n- [\"SpeedPwning VMware Workstation: Failing at Pwn2Own, but doing it fast\" by Corentin Bayet and Bruno Pujos](https://www.synacktiv.com/sites/default/files/2020-10/Speedpwning_VMware_Workstation.pdf) [slides]\n- [\"Pwning VMware, Part 2: ZDI-19-421, a UHCI bug\"](https://nafod.net/blog/2020/02/29/zdi-19-421-uhci.html) [article]\n- [\"CVE-2020-3947: Use-After-Free Vulnerability in the VMware Workstation DHCP Component\" by KP Choubey](https://www.zerodayinitiative.com/blog/2020/4/1/cve-2020-3947-use-after-free-vulnerability-in-the-vmware-workstation-dhcp-component) [article]\n\n### 2019\n\n- \"The Great Escape of ESXi\" (36C3) [[video](https://www.youtube.com/watch?v=XHDwsvywX50)] [[slides](https://docs.google.com/presentation/d/19UhOPKQvxpIyfFiEH4ylRIDcbl57Ekqrvyk2K_el47c/edit?usp=sharing)]\n- [\"Taking Control of VMware through the Universal Host Controller Interface: Part 1\" by Abdul-Aziz Hariri](https://www.zerodayinitiative.com/blog/2019/5/7/taking-control-of-vmware-through-the-universal-host-controller-interface-part-1) [article]\n- [\"Taking Control of VMware through the Universal Host Controller Interface: Part 2\" by Abdul-Aziz Hariri](https://www.zerodayinitiative.com/blog/2019/8/15/taking-control-of-vmware-through-the-universal-host-control-interface-part-2) [article]\n- [\"Breaking Turtles All the Way Down: An Exploitation Chain to Break out of VMware ESXi\" by Hanqing Zhao et al.](https://www.usenix.org/system/files/woot19-paper_zhao.pdf) [paper]\n\n### 2018\n\n- \"Straight outta VMware: Modern exploitation of the SVGA device for guest-to-host escape exploits\" by Zisis Sialveras [[slides #1](https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Sialveras-Straight-Outta-VMware-Modern-Exploitation-Of-The-SVGA-Device-For-Guest-To-Host-Escapes.pdf)] [[slides #2](https://census-labs.com/media/straightouttavmware-bluehatv18.pdf)] [[video](https://www.youtube.com/watch?v=o36N5wi_ZFs)] [[paper](https://census-labs.com/media/straightouttavmware-wp.pdf)]  [[article](https://census-labs.com/news/2019/01/11/straight-outta-vmware-microsoft-bluehat-v18-black-hat-europe-2018/)]\n- [\"CVE-2018-6973 Analysis\" by Bruno Botelho](http://blog.utxsec.com/?p=66) [article]\n- [\"VMware Exploitation Through Uninitialized Buffers\" by Abdul-Aziz Hariri](https://www.thezdi.com/blog/2018/3/1/vmware-exploitation-through-uninitialized-buffers) [article]\n- [\"Automating VMware RPC Request Sniffing\" by Abdul-Aziz Hariri](https://www.thezdi.com/blog/2018/1/19/automating-vmware-rpc-request-sniffing) [article]\n- [\"L'art de l'évasion\" by Brian Gorenc, Abdul-Aziz Hariri and Jasiel Spelman (OffensiveCon)](https://www.youtube.com/watch?v=UzMpw3-VZl8) [video]\n- [\"A bunch of Red Pills: VMware Escapes\" by Marco Grassi, Azureyang, Jackyxty](https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/) [article]\n- [\"Wandering through the Shady Corners of VMware Workstation/Fusion\"](https://comsecuris.com/blog/posts/vmware_vgpu_shader_vulnerabilities/) [article]\n- [\"Modern VMWARE Exploitation Techniques\" by Brian Gorenc, Jasiel Spelman, Abdul Aziz Hariri (Infiltrate)](https://vimeo.com/269257039) [video]\n\n### 2017\n\n- [\"VMware's Launch Escape System\" by Abdul-Aziz Hariri](https://www.thezdi.com/blog/2017/12/21/vmwares-launch-escape-system) [article]\n- [\"Out of The Truman Show: VM escape in VMware gracefully\" by Lei Shi and Mei Wang](https://www.slideshare.net/MSbluehat/bluehat-v17-out-of-the-truman-show-vm-escape-in-vmware-gracefully) [slides]\n- \"VMware Escapology: How to Houdini The Hypervisor\" by AbdulAziz Hariri and Joshua Smith [[article](https://www.thezdi.com/blog/2017/10/04/vmware-escapology-how-to-houdini-the-hypervisor)] [[video](https://www.youtube.com/watch?v=uRemWLNBSZg)] [[code](https://github.com/thezdi/derbycon2017)]\n- [\"Use-After-Silence: Exploiting a quietly patched UAF in VMware\" by Abdul-Aziz Hariri](https://www.thezdi.com/blog/2017/6/26/use-after-silence-exploiting-a-quietly-patched-uaf-in-vmware) [article]\n- [\"Analyzing a Patch of a Virtual Machine Escape on VMware\" by Yakun Zhang](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-patch-of-a-virtual-machine-escape-on-vmware/) [article]\n- \"Leveraging VMware's RPC interface for fun and profit\" (ZeroNights) [[slides](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_ZDIteam_Leveraging%20VMware_s%20RPC%20Interface.pdf)] [[slides #2)](https://ruxcon.org.au/assets/2017/slides/ForTheGreaterGood.pdf)] [[video](https://www.youtube.com/watch?v=h0YX8SDuou4)]\n- [\"The Weak Bug - Exploiting a Heap Overflow in VMware\"](http://acez.re/the-weak-bug-exploiting-a-heap-overflow-in-vmware/) [article]\n- \"[How to exploit cve 2017 4901\"](https://github.com/unamer/vmware_escape/wiki/How-to-exploit-cve-2017-4901) [article]\n- [\"Escape from VMware Workstation by using \\\"Hearthstone\\\"\"](https://cansecwest.com/slides/2017/CSW2017_QinghaoTang_XinleiYing_vmware_escape.pdf) [slides]\n- \"The Great Escapes of VMware: A Retrospective Case Study of VMware Guest-to-Host Escape Vulnerabilities\" by Debasish Mandal and Yakun Zhang (Blackhat Europe) [[slides](https://www.blackhat.com/docs/eu-17/materials/eu-17-Mandal-The-Great-Escapes-Of-Vmware-A-Retrospective-Case-Study-Of-Vmware-G2H-Escape-Vulnerabilities.pdf)] [[video](https://www.youtube.com/watch?v=p0OaGMlBb2k)]\n- \"Pythonizing the VMware Backdoor\" by Abdul-Aziz Hariri [[article](https://www.thezdi.com/blog/2017/8/1/pythonizing-the-vmware-backdoor)]\n\n### 2016\n\n- [\"Windows Metafiles: An Analysis of the EMF Attack Surface \u0026 Recent Vulnerabilities\" by Mateusz \"j00ru\" Jurczyk](https://j00ru.vexillium.org/slides/2016/metafiles_full.pdf) [slides]\n- [\"50 Shades Of Fuzzing\" by Peter Hlavaty and Marco Grassi](https://papers.put.as/papers/macosx/2016/50_Shades_Of_Fuzzing.pdf) [slides]\n\n### 2015\n\n- [\"Escaping VMware Workstation through COM1\" by Kostya Kortchinsky](https://www.exploit-db.com/docs/english/37276-escaping-vmware-workstation-through-com1.pdf) [article]\n\n### 2008\n\n- [\"Cloudburst: A VMware Guest to Host Escape Story\" by Kostya Kortchinsky](https://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf) [slides]\n\n### 2007\n\n- [\"An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments\" by Tavis Ormandy](http://taviso.decsystem.org/virtsec.pdf) [whitepaper]\n\n## Exploits\n\n- https://www.exploit-db.com/search?q=vmware\n- https://github.com/unamer/vmware_escape\n- https://github.com/s0duku/cve-2022-31705\n\n## CTF tasks\n\n- Real World CTF 2018 Finals (Station Escape): [writeup 1](https://zhuanlan.zhihu.com/p/52140921), [writeup 2](https://nafod.net/blog/2019/12/21/station-escape-vmware-pwn.html)\n\n## Misc\n\n- https://www.vmware.com/security/advisories.html\n- https://sites.google.com/site/chitchatvmback/backdoor\n- https://github.com/vmware/open-vm-tools\n- https://sourceforge.net/projects/vmware-svga\n- http://sysprogs.com/legacy/articles/kdvmware/guestrpc.shtml\n\n## ZDI demos \n\n- [Demonstrating a VMware Guest-to-Host Escape](https://www.youtube.com/watch?v=NDuWcGn5hTQ)\n- [Automating VMware RPC Request Sniffing](https://www.youtube.com/watch?v=ArE35aphCHQ)\n- [Demonstration of Use-After-free Escalation in VMware](https://www.youtube.com/watch?v=XAV3JcizbwM)\n- [CPython RPC Demonstration](https://www.youtube.com/watch?v=nrajtut6kEE)\n- [Demonstrating the vmware_copy_pirate Metasploit Post-Exploitation Module](https://www.youtube.com/watch?v=4R-jJej_TKE)\n\n## Other lists\n\n- [WinMin/awesome-vm-exploit](https://github.com/WinMin/awesome-vm-exploit)\n","funding_links":[],"categories":["Tools","\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","blog","Others (1002)","Others","VMware / ESXi / Fusion"],"sub_categories":["Exploiter","\u003ca id=\"41ae40ed61ab2b61f2971fea3ec26e7c\"\u003e\u003c/a\u003e漏洞利用","VM"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxairy%2Fvmware-exploitation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxairy%2Fvmware-exploitation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxairy%2Fvmware-exploitation/lists"}