Travel to the dark of the door! Debugee in QEMU-vulnerability warning-the black bar safety net

I haven’t to secure guest posting, just recently the contact vulnerability discovery, and have been reading some of the classic fuzzer source code, at the same time also began to contact the virtualization escape this piece of content, at this time happened to come across two very classic exploit, I believe that many friends also have seen, phrack some time ago just update about this vulnerability in detail using the process.
I later for this vulnerability is a dynamic debugging, and by the phrack paper cramming something about the virtual machine’s working principle, the Guest OS and the Host OS between some of the knowledge.
! [](/Article/UploadPic/2017-8/201781714010647. png? www. myhack58. com)
In the debugging process, I increasingly feel that the two vulnerabilities as to the dark portal Getting started again suitable however, by the two vulnerability analysis and the use of the debugging, can be familiar with this type of virtualization vulnerability of the commissioning principles. Today, I will share the QEMU virtualization escape the debugging environment to build, on CVE-2015-5165 and CVE-2015-7504 vulnerability dynamic debugging analysis, as well as the patch comparison.
Prior to that, my default reading this article little friends have looked at phrack. org about VM Escape Case Study the article, and already understand the virtual work of the basic principles, including but not limited to, memory management mechanisms, REALTEK network card, a PCNET card of a data packet structure, Tx, Rx buffer, and so on. About phrack. org article and see the snow translated version of the analytical article of the link I will be at the end given. Below we together depart to the dark portal!
! [](/Article/UploadPic/2017-8/201781714011693. png? www. myhack58. com)
0x01 QEMU environment to build
In debugging the QEMU virtualization escape vulnerability before, we need to build virtualization escape the environment, by first git clone to download QEMU, and by the git check set branch if you want to debug the previous version.
$ git clone git://git. qemu-project. org/qemu. git
$ cd qemu
$ mkdir-p bin/debug/native
$ cd bin/debug/native
$ …/…/…/configure --target-list=x86_64-softmmu --enable-debug --disable-werror
$ make
In the make time, the Host OS will need some libraries installed by apt-get to download and install, such as zlib and glib-2.22, wherein glib-2.22 also need some dependencies, but need to go to the download site, the website address: http://ftp.gnome.org/pub/gnome/sources/glib/2.22/ in.
After installation, in/path/to/qemu/bin/debug/native/generated under a x86_64-softmmu directory, before that, you need to install a qcow2 file system, it is needed by qemu-img to create a qcow2 system files.

$ qemu-img creat-f qcow2 ubuntu. qcow2 20G
After the first by qemu-system-x86_64 completion of the qcow2 file system in the system installation, the need to use the-cdrom to the iso image file is loaded. At the same time, you need to install vncviewer, so that by the vncviewer for qemu to start the vnc port for the connection.
$ qemu-system-x86_64-enable-kvm-m 2048-hda /path/to/ubuntu. qcow2-cdrom /path/to/ubuntu.iso
$ apt-get install xvnc4viewer
Through the vnc connection to qemu after, according to the image file prompt for installation, 这里推荐还是用server.iso because installation is relatively quick, with the desktop of the words may be slightly Caton some, after the installation is complete you get a systematic qcow2 file, after which you can contain vulnerabilities rlt8139 and pcnet NIC hardware to start.

$ ./ qemu-system-x86_64-enable-kvm-m 2048-display vnc=:89-netdev user,id=t0, -device rtl8139,netdev=t0,id=nic0-netdev user,id=t1, -device pcnet,netdev=t1,id=nic1-drive file=/path/to/ubuntu. qcow2,format=qcow2,if=ide,cache=writeback
After the Start, and here I in order to save trouble, directly with the NAT method of sharing the host network, and then Locally by SimpleHTTPServer to build a simple HTTP Server through wget method to get the two vulnerabilities of the PoC, the two vulnerability PoC by gcc-static method in locally compiled directly after upload, and then run it.
After the host computer via the ps-ef|grep qemu find qemu to start the process via gdb attach pid method additional, press c to continue to run on it, can by the b-function of the method under the breakpoint, convenient for tracking and debugging.
!
0x02 CVE-2015-5165 vulnerability analysis
CVE-2015-5165 is a memory leak vulnerability, since for ip->ip_len and hlen the length of size is not controlled, resulting in both phase subtraction calculation is negative, due to the ip_data_len variable is defined unsigned type, result this value will be very large, resulting in a memory leak. Vulnerability file in/path/to/qemu/hw/net/rtl8139. c.
First, according to the vulnerability description, vulnerability occurs in the rtl8139_cplus_transmit_one function, by b rtl8139_cplus_transmit_one method in the function to the next breakpoint, after running the PoC, the hit function, the first function will pass in a RTL8139State structure variables. Continue to single-step tracking is performed to an if statement, it will compare the current data in the header portion whether the IPV4 header.
gdb-peda$ si
[----------------------------------registers-----------------------------------]
RAX: 0x4
[-------------------------------------code-------------------------------------]
0x55b25db58480 :shr al,0x4
0x55b25db58483 :movzx eax,al
0x55b25db58486 :and eax,0xf
=> 0x55b25db58489 :cmp eax,0x4
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x000055b25db584892173 if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
Visible this time is indeed the IPv4 configuration, then enter the if statement of the code logic, which will call be16_to_cpu for ip->ip_len to convert, ip->ip_len length of 0x1300, the converted length is 0x13 in.
[----------------------------------registers-----------------------------------]
RAX: 0x1300
RDI: 0x1300 //ip->ip_len
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] next