VMware Escapology – How to Houdini the Hypervisor

October 04, 2017 | Joshua Smith

Recently at the DerbyCon conference in Louisville, KY, Jasiel and I presented “VMware Escapology: How to Houdini The Hypervisor.” My colleague Abdul-Aziz Hariri has blogged about VMware escapes in the past. Unfortunately, circumstances prevented Abdul from attending the conference. A significant portion of what we presented is the result of his research in this field, so his absence was felt. So far, most of what has been discussed on this topic was aimed at the reverse engineering community to aid them in finding and reporting new VMware bugs. However, we also wanted to expose the penetration testing community to VMware escapes as well.

Virtual machines play a crucial role in modern computing. They are often used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. VMs also remain important tools for pentesters. Conversely, customer virtualization can also lead to dead ends during a pentest. This limitation could lead to situations where enterprises fail to understand the true risk to their virtualized environments. Our talk provided some additional information and Metasploit Framework (MSF) modules, and a library, for pentesters that weaken or escape the isolation imposed by VMware hypervisors. Today, we’re making those Metasploit modules available on our Github site.

Here’s a video demonstrating one of these Metasploit modules in action, as we take advantage of VMwareHostOpen.exe to execute code on a macOS hypervisor.

The Backdoor Channel

Before we discuss the attacks, we should talk about the Backdoor channel, which is used by VMware for communication between the host and the guest OS. Yes, VMware named this method for communications the “Backdoor” channel.

The RPCI channel provides a bi-directional method of communications between the guest and the hypervisor. On the low-bandwidth side, it provides 24 bits of send and 16 bits of receive. Admittedly, this is pretty limited, but it does work perfectly fine if all you need is a version number or other simple value. The high-bandwidth side provides a much faster means of communication and allows for more data as well. The commands available within Backdoor are documented in the open-vm-tools on github. Specifically, backdoor_def.h defines many commands. A partial list is below:

TCLO provides the hypervisor a means to communicate with the Guest OS. What does TCLO stand for?  From public documentation, we learn, “In Host --> Guest RPC traffic, the host endpoint is TCLO and the guest endpoint is RpcIn. TCLO is a particularly confusing name choice which dates back to when the host was to send raw TCL code to the guest (TCL Out == TCLO).” Does that imply this TCL is the Tool Command Language? It certainly seems that way.

Utilizing this Backdoor channel in various ways, we’re able to demonstrate some techniques pentesters may find useful when faced with VMware virtual machines.

The VMware Library

The foundation for the modules, and the foundation for future exploration, is the Msf::Post::Vmware post exploitation library. The current implementation of the library only supports payloads that provide the ability to manipulate host memory, such as Post::Windows::Process.memory.{allocate, write, protect, read}. As a result, only the Windows meterpreter is currently compatible. However, I intend to convert the library to utilize railgun so that any payload compatible with railgun will automatically gain support, which means most major platforms will be supported. First, this will require some modifications to railgun to add support for execution of arbitrary assembly instead of interfacing with platform libraries. The most relevant methods exposed by the library are Backdoor.send_cmd and Rpc.send_cmd. For example, Backdoor.send_cmd(BDOOR_CMD_GETNEXTPIECE) Rpc.send_cmd(‘vmx.capability.dnd_version’).

Post Exploitation Module: vmware_copy_pirate

Here’s a quick video of this one in action.

With this module, a guest VM can abscond with the copy buffer of its host or another guest VM running on the same hypervisor. This can be done without the presence of VMware tools as long as the VM is configured to allow copy and paste, which is the default setting. This module utilizes the Backdoor commands BDOOR_CMD_GETSELLENGTH and BDOOR_CMD_GETNEXTPIECE, both from open-vm-tools’ backdoor_def.h, to accomplish this task.


The Host-Guest File System (HGFS) is also an area worth exploring. HGFS requests can be performed through GuestRPC requests, which can run over the Backdoor, vSockets, or TCP/IP. A binary provided with VMware tools from VMware Fusion called `VMwareHostOpen.exe` uses HGFS functionality to, “open your windows files and web links using Mac applications”. The description goes on to say that, “enabling this feature may reduce the isolation of your virtual machine”. With this module, you can turn “may” into “will”. Currently, there are multiple prerequisites for this module to be used to its full extent, but it appears most, if not all, of the restrictions may be bypassed in the near future. In the ideal situation, VMware tools are installed and a writable share is available in the Windows VM. In this case, an arbitrary payload can be written to the share and executed on the Mac host running VMware Fusion.


As demonstrated, the Backdoor interface is robust and well-named – even though it might not be intended. We’ve seen several critical ESXi vulnerabilities patched in 2017 alone. We’ve also observed other, non-critical vulnerabilities that allow data leakage. Again, none of these attacks require VMware tools to be installed.

If you weren’t able to attend the conference, you can watch a replay of Jasiel and myself giving the talk. We missed having Abdul with us at the conference, but the research he contributed certainly made his presence felt. After you watch the video, if you want to try these modules for yourself, you can obtain them from our Github site.

VMware is widely deployed, and bug reports are on the rise. We’re also seeing increased reports in other virtualization products. Virtualization can sometimes lead to a dead end on pentests, which can give enterprises the false impression that virtualization completely constrains risk. While a guest-to-host escape is the most eye-catching way to abuse a hypervisor, there are other, more subtle abuses as well. The Metasploit modules we released today will enable pentesters to look for these abuses on client’s networks. We understand that you can’t fix what you can’t prove to management. Hopefully these modules help make the case needed to improve the security posture of enterprises.

You can find me on Twitter at @KernelSmith, and follow the team for the latest in exploit techniques and security patches.