In this post, I will give an introduction of the PCI device emulation in QEMU. I will start from the function pci_register_bar. Then I will introduce the PCI bus initialization and update. Based on the information given above, I will explain how RTL8139 and MMIO are expected to work through DMA (Direct Memory Access).
I also strongly recommend reading the reference [1] and [2]. They give some other useful information for PCI device in QEMU.
Read More »
In this post, I will introduce two significant data structures in QEMU: MemoryRegion and AddressSpace. Based on the information given above, I will give more details on the memory initialization in QEMU and address_space_rw, which is the core function of QEMU from my perspective. Furthermore, I give examples to explain what is STDIO and MMIO (memory-mapped IO).
Before reading this post, I strongly recommend reading /qemu/docs/memory.txt first. It will give a basic view of what I will talk about in this post.
Read More »
This post is completely based on the write-up [1] given by KITCTF. This post will give more details on io function in the binary, e.g. hitb_dma_timer, hitb_mmio_read and hitb_mmio_write.
Since a single post cannot cover everything involved in this challenge. I will put more focus on the vulnerability analysis and exploit development in this post. More topics about this challenge will be given in my post on QEMU internals.
Read More »
In my previous post, I give a basic introduction on pcnet emulation and display the stacktrace of execution flow of the emulation.
In this post I will give a introduction on RTL8139 emulation in QEMU. Different from the previous post, I will omit the execution flow of RTL8139 I/O operation. Instead, I want to put more focus on how the emulated registers are used and how user controlled data go into the vulnerable function and trigger the vulnerability.
In QEMU, all RTL8139 emulation is implemented in rtl8139.c.
The concept of DMA will be introduced in this post. But more details on that will be given in next post.
Read More »
This post will give a basic introduction on how QEMU emulates a pcnet network card from the view of source code. In QEMU, pcnet-pci.c and pcnet.c are the most important two files that are related with pcnet network card emulation. From my point of view, pcnet-pci.c is for emulating the operation between the QEMU and pcnet device, including device initialization and device IO communication; pcnet.c is for emulating the operation between QEMU and the guest machine, including packet transmission and data processing.
This post post will pick part of the source code of QEMU for explaining the internal of QEMU.
Read More »
In my previous blog, I mention that MADV_DONTFORK is set to the virtual memory region, which is used as the physical memory of guest machine. In another word, the memory set to MADV_DONTFORK will not be passed to the forked process. In this post, I will prove this hypothesis by undoing the MADV_DONTFORK flag of the memory region and display the flag.
In the exploit given in [1] and [2], the author first changes the protection flag of the PHY_MEM to RWX and prepares the shellcode in PHY_MEM to undo the MADV_DONTFORK flag of PHY_MEM. From my perspective, such a method is tedious for the purpose of this post. Alternatively, I choose to prove the hypothesis via code reuse attack directly.
Read More »
Working in the wrong direction means going far away. After reading the write-up in [1], I think this is not a difficult challenge. During the contest, I was hesitating between House of Orange and House of Mind. After reaching dead end in both solutions, I hope to seek some hints from the title of the challenge. Therefore I turn to this post [2], seeking some possible hints in file stream on /dev/null. But the result shows that I think too much on that and I should start from the easier ones.
I need to record what I think during the contest and set a reminder for myself.
Read More »
Yesterday I have already demonstrated how to hijack the control flow via leaking the base address of heap. Therefore, the only remaining step is to get the shell or view the flag, which will be discussed in this post. The final result is already given in the cover image. The full exploit is given in my github repository [2].
Read More »
In the original post on QEMU escape, the author only introduces the details about the out-of-bound overflow (CVE-2015-7504) in QEMU. However, it adds no details on how to hijack the control flow. In this post, I will give more details on how I hijack the control to 0x414141414141 as shown in cover image.
Read More »
It is an easy menu challenge. I thought there may be some security issues with multi-threading in exploitation like race condition. But it seems there is no need on that in this challenge.
Read More »
氷 菓 