Yesterday I have already demonstrated how to hijack the control flow via leaking the base address of heap. Therefore, the only remaining step is to get the shell or view the flag, which will be discussed in this post. The final result is already given in the cover image. The full exploit is given in my github repository .
Continue reading “QEMU Escape: Part 5 Put Everything Together (nographic mode)”
In the original post on QEMU escape, the author only introduces the details about the out-of-bound overflow (CVE-2015-7504) in QEMU. However, it adds no details on how to hijack the control flow. In this post, I will give more details on how I hijack the control to 0x414141414141 as shown in cover image.
Continue reading “QEMU Escape: Part 4 Hijack Control Flow (CVE-2015-7504)”
It is an easy menu challenge. I thought there may be some security issues with multi-threading in exploitation like race condition. But it seems there is no need on that in this challenge.
Continue reading “N1CTF 2018 PWN Vote Write-up”
At the first glance of this challenge, I thought it was reverse challenge + menu challenge on pwn. However, I found that it was reverse challenge + shellcode challenge.
Continue reading “N1CTF 2018 PWN Beeper Write-up”
This post will give some more debugging details on CVE-2015-5165. Based on the poc code in , we make some modification to the code according to the information of local machine.
As we know, QEMU is an application running on the host machine. The goal of the VM escape in the guest machine is that we have to retrieve the base address of text segment of QEMU application on the host machine and the base address of the virtual memory that are mapped to emulate the physical memory of guest machine.
The final result of the information leakage is given as the cover image of this post.
Continue reading “QEMU escape: Part 3 Information Leakage (CVE-2015-5165)”
In the previous part, I give an introduction on how to create an ubuntu image for QEMU. However, after beginning to analyse the qemu vulnerability I feel the debugging process is very uncomfortable. What I prefer is just a terminal of QEMU with a guest running on that. This makes me recall what I do on Syzkaller fuzzer.
In this post, I just list the necessary steps to create a much more friendly debugging environment.
Continue reading “QEMU escape: Part 2 Debugging Environment Set-up”
This challenge is much easier than the VM escape challenge in SECCON 2017. It emulates parts of simple operations on CPU.
Continue reading “X-MAS CTF 2017 PWN ChildVM Write-up”