Last couple of days i had a chance to play and research VMware a bit, of course among other things. I spent last few days researching the vulnerability Kostya presented sometime ago. I did the entire research from zero and basically just for fun (yeah some of us still do this kind of stuff for the lulz). Unlike Kostya's method I am able to exploit this vulnerability only by sending two specially crafted SVGA_CMD_RECT_COPY signals. This method should work on default VMware configurations with SVGA support. Following exploit was tested only on Windows XP SP3 with VMware Workstation 6.5.1 build 126130 (no DEP support). To be honest i spent more time coding the hacktro so make sure you will watch it :-) Greetings for all of the hidden demosceners.

VMware Exploiting (payload running calc.exe on host)

3D HACKTRO:

that's all! byez!


http://blog.piotrbania.com/2009/09/vmware-cloudburst-vmware-guest-to-host.html