Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Latest commit e46e37e Jun 13, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
assets add files Jun 13, 2019
Tensec2019-Vulnerability_Discovery_and_Exploitation_of_Virtualization_Solutions_for_Cloud_Computing_and_Desktops.pdf fix filename Jun 13, 2019
crash_poc.c add files Jun 13, 2019
exp.c add files Jun 13, 2019 add files Jun 13, 2019


This is an exploit for CVE-2019-6778, a heap buffer overflow in slirp:tcp_emu(). For more information, see the writeup (Sorry, only Chinese version available now) and the slides for the talk in Tensec 2019 by Marco and me.


$ ./qemu-system-x86_64 --version
QEMU emulator version 3.1.50 (v3.1.0-456-g9b2e891ec5-dirty)
Copyright (c) 2003-2018 Fabrice Bellard and the QEMU Project developers

Command used to start QEMU

./qemu-system-x86_64_exp -drive file=ubuntu-18.04-desktop-amd64.snapshot.qcow2,format=qcow2 -enable-kvm -m 2G -L ./pc-bios -smp 1 -device VGA -net user,hostfwd=tcp::2222-:22 -net nic


To simply verify the QEMU is vulnerable, run sudo nc -lvv 113 on the host. Then compile and run the crash poc in the guest.

For the exploit:


gcc -o exp exp.c

Set MTU for the network card before running the exploit

ifconfig ens2 mtu 9000 up


You can’t perform that action at this time.