Threat Research

ESXi Exploitation in the Wild

Huntress
ESXi Exploitation in the Wild

A multi-stage VM escape toolkit (MAESTRO + MyDriver.sys + VSOCKpuppet) leverages HGFS information disclosure, VMCI memory corruption, and an ESXi arbitrary write to escape a VM and install a VSOCK-based backdoor on ESXi. The attack disables VMware VMCI drivers, uses KDU to load an unsigned exploit driver, writes shellcode into the VMX process, and deploys a VSOCK backdoor listening on port 10000. #MAESTRO #VSOCKpuppet

Keypoints

  • The orchestrator (exploit.exe, named MAESTRO) contains four embedded binaries (MyDriver.sys, kdu.exe, devcon.exe, drv64.dll) and manages deployment, monitoring, and cleanup of the VM escape.
  • The exploit chain leverages three VMware vulnerabilities (CVE-2025-22226 HGFS info leak, CVE-2025-22224 VMCI TOCTOU leading to OOB write, CVE-2025-22225 arbitrary write to escape VMX sandbox) to defeat ASLR, corrupt VMX, and gain kernel execution on ESXi.
  • MyDriver.sys disables guest VMCI drivers to obtain exclusive access to VMCI hardware, uses HGFS backdoor channels to leak VMX pointers, and reads/writes VMX memory to install stage shellcode and an ELF backdoor (VSOCKpuppet).
  • KDU (kdu.exe) is used to bypass Driver Signature Enforcement by manually mapping the unsigned MyDriver.sys into kernel memory via an exploited signed driver.
  • Stage 1 and 2 shellcode locate kernel modules and write a persistent but stealthy backdoor: VSOCKpuppet is dropped to /var/run/a, inetd.conf is temporarily modified to execute it as root on port 21, then restored to reduce forensic visibility.
  • VSOCKpuppet provides remote access over VMware VSOCK (binds to port 10000, CID any), making C2 traffic invisible to traditional network monitoring; a Windows client (GetShell Plugin / client.exe) communicates via VSOCK to interact with the backdoor.

MITRE Techniques

  • [T1218] Signed Binary Proxy Execution – The attacker uses Microsoft-signed devcon.exe to disable VMware VMCI drivers: (‘The exploit begins by disabling VMware’s guest-side VMCI drivers using Microsoft’s devcon.exe utility.’).
  • [T1215] Kernel Modules and Extensions – The toolkit loads an unsigned kernel driver by abusing a signed vulnerable driver via KDU to map MyDriver.sys into kernel memory: (‘kdu.exe -prv 1 -map MyDriver.sys’).
  • [T1574] Hijack Execution Flow – The exploit overwrites a VMX function pointer to redirect execution into attacker-controlled shellcode: (‘After writing the payloads, the exploit overwrites a function pointer inside VMX… when VMX handles the message, it follows the corrupted pointer and jumps to the attacker’s shellcode’).
  • [T1105] Ingress Tool Transfer – The attacker writes the ELF backdoor (VSOCKpuppet) to the host filesystem (/var/run/a) and transfers payloads from guest to host: (‘it creates the backdoor file at /var/run/a with full permissions (0777), then writes the VSOCKpuppet payload to it’).
  • [T1543] Create or Modify System Process – The exploit appends a malicious inetd.conf entry to execute the backdoor as root and signals inetd to reload: (‘it modifies /var/run/inetd.conf… ftp stream tcp nowait root /var/run/a a ++group=host/vim/vimuser/terminal/ssh’ and ‘sends SIGHUP (signal 1) to inetd’).
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – The backdoor and shellcode execute shell commands via /bin/sh and use standard Unix syscalls to interact with the host: (‘Any other input is treated as a shell command, the backdoor writes it to /tmp/input, executes it via /bin/sh, and returns the output’).
  • [T1071] Application Layer Protocol – The threat actor uses VMware VSOCK as a covert C2/channel protocol (binds to VSOCK port 10000, CID any) to avoid network-based detection: (‘The backdoor binds to VSOCK port 10000 with context ID -1 (VMADDR_CID_ANY)… VSOCK communication does not generate network packets visible to traditional network sniffing tools’).

Indicators of Compromise

  • [File Hash ] MAESTRO, client, VSOCKpuppet and other toolkit binaries – 37972a232ac6d8c402ac4531430967c1fd458b74a52d6d1990688d88956791a7 (exploit.exe MAESTRO), 4614346fc1ff74f057d189db45aa7dc25d6e7f3d9b68c287a409a53c86dca25e (client.exe), and 3 more hashes.
  • [File Name ] Embedded and dropped binaries – MyDriver.sys, VSOCKpuppet, exploit.exe (MAESTRO), client.exe (GetShell Plugin).
  • [File Path / PDB ] Development and build artifacts revealing timelines and environment – ‘C:UserstestDesktop2023_11_02vmci_vm_escapegetshellsourceclientx64Releaseclient.pdb’ and ‘C:UserstestDesktop2024_02_19全版本逃逸–交付reportESXI_8.0u3’ (Chinese-language build path).
  • [Device Identifier ] Targeted VMware device instances disabled by the exploit – PCIVEN_15AD&DEV_0740 (VMware VMCI PCI device), ROOTVMWVMCIHOSTDEV (VMware VMCI Host Device).
  • [Network / Socket ] Local/host communication endpoints used by the backdoor and activation – VSOCK CID:PORT 2:10000 (connect to hypervisor backdoor) and local TCP 127.0.0.1:21 (inetd hijack to trigger backdoor).
  • [Configuration File ] Modified service configuration used to achieve root execution – /var/run/inetd.conf entry ‘ftp stream tcp nowait root /var/run/a a ++group=host/vim/vimuser/terminal/ssh’ (temporary malicious line appended then restored).

Read more: https://www.huntress.com/blog/esxi-vm-escape-exploit

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint