qemu-vm-escape

This is an exploit for CVE-2019-6778, a heap buffer overflow in slirp:tcp_emu(). For more information, see the writeup (Sorry, only Chinese version available now) and the slides for the talk in Tensec 2019 by Marco and me.

Environment

$ ./qemu-system-x86_64 --version
QEMU emulator version 3.1.50 (v3.1.0-456-g9b2e891ec5-dirty)
Copyright (c) 2003-2018 Fabrice Bellard and the QEMU Project developers

Command used to start QEMU

./qemu-system-x86_64_exp -drive file=ubuntu-18.04-desktop-amd64.snapshot.qcow2,format=qcow2 -enable-kvm -m 2G -L ./pc-bios -smp 1 -device VGA -net user,hostfwd=tcp::2222-:22 -net nic

Run

To simply verify the QEMU is vulnerable, run sudo nc -lvv 113 on the host. Then compile and run the crash poc in the guest.

For the exploit:

Compile

gcc -o exp exp.c

Set MTU for the network card before running the exploit

ifconfig ens2 mtu 9000 up

Then

./exp

Name		Name	Last commit message	Last commit date
Latest commit History 5 Commits
assets		assets
README.md		README.md
Tensec2019-Vulnerability_Discovery_and_Exploitation_of_Virtualization_Solutions_for_Cloud_Computing_and_Desktops.pdf		Tensec2019-Vulnerability_Discovery_and_Exploitation_of_Virtualization_Solutions_for_Cloud_Computing_and_Desktops.pdf
crash_poc.c		crash_poc.c
exp.c		exp.c
writeup_zh.md		writeup_zh.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

qemu-vm-escape

Environment

Run

About

Releases

Packages

Languages

0xKira/qemu-vm-escape

Folders and files

Latest commit

History

Repository files navigation

qemu-vm-escape

Environment

Run

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages