Skip to content

0xKira/qemu-vm-escape

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

assets

assets

 
 

README.md

README.md

 
 

Tensec2019-Vulnerability_Discovery_and_Exploitation_of_Virtualization_Solutions_for_Cloud_Computing_and_Desktops.pdf

Tensec2019-Vulnerability_Discovery_and_Exploitation_of_Virtualization_Solutions_for_Cloud_Computing_and_Desktops.pdf

 
 

crash_poc.c

crash_poc.c

 
 

exp.c

exp.c

 
 

writeup_zh.md

writeup_zh.md

 
 

Repository files navigation

qemu-vm-escape

This is an exploit for CVE-2019-6778, a heap buffer overflow in slirp:tcp_emu(). For more information, see the writeup (Sorry, only Chinese version available now) and the slides for the talk in Tensec 2019 by Marco and me.

Environment

$ ./qemu-system-x86_64 --version
QEMU emulator version 3.1.50 (v3.1.0-456-g9b2e891ec5-dirty)
Copyright (c) 2003-2018 Fabrice Bellard and the QEMU Project developers

Command used to start QEMU

./qemu-system-x86_64_exp -drive file=ubuntu-18.04-desktop-amd64.snapshot.qcow2,format=qcow2 -enable-kvm -m 2G -L ./pc-bios -smp 1 -device VGA -net user,hostfwd=tcp::2222-:22 -net nic

Run

To simply verify the QEMU is vulnerable, run sudo nc -lvv 113 on the host. Then compile and run the crash poc in the guest.

For the exploit:

Compile

gcc -o exp exp.c

Set MTU for the network card before running the exploit

ifconfig ens2 mtu 9000 up

Then

./exp

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

277 stars

Watchers

12 watching

Forks

55 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages