Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Latest commit e46e37e Jun 13, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
assets add files Jun 13, 2019
README.md
Tensec2019-Vulnerability_Discovery_and_Exploitation_of_Virtualization_Solutions_for_Cloud_Computing_and_Desktops.pdf fix filename Jun 13, 2019
crash_poc.c add files Jun 13, 2019
exp.c add files Jun 13, 2019
writeup_zh.md add files Jun 13, 2019

README.md

qemu-vm-escape

This is an exploit for CVE-2019-6778, a heap buffer overflow in slirp:tcp_emu(). For more information, see the writeup (Sorry, only Chinese version available now) and the slides for the talk in Tensec 2019 by Marco and me.

Environment

$ ./qemu-system-x86_64 --version
QEMU emulator version 3.1.50 (v3.1.0-456-g9b2e891ec5-dirty)
Copyright (c) 2003-2018 Fabrice Bellard and the QEMU Project developers

Command used to start QEMU

./qemu-system-x86_64_exp -drive file=ubuntu-18.04-desktop-amd64.snapshot.qcow2,format=qcow2 -enable-kvm -m 2G -L ./pc-bios -smp 1 -device VGA -net user,hostfwd=tcp::2222-:22 -net nic

Run

To simply verify the QEMU is vulnerable, run sudo nc -lvv 113 on the host. Then compile and run the crash poc in the guest.

For the exploit:

Compile

gcc -o exp exp.c

Set MTU for the network card before running the exploit

ifconfig ens2 mtu 9000 up

Then

./exp
You can’t perform that action at this time.