Introduction
At the first glance of this challenge, I thought it was reverse challenge + menu challenge on pwn. However, I found that it was reverse challenge + shellcode challenge.
Read More »
Month: March 2018
QEMU escape: Part 3 Information Leakage (CVE-2015-5165)
Introduction
This post will give some more debugging details on CVE-2015-5165. Based on the poc code in [1], we make some modification to the code according to the information of local machine.
As we know, QEMU is an application running on the host machine. The goal of the VM escape in the guest machine is that we have to retrieve the base address of text segment of QEMU application on the host machine and the base address of the virtual memory that are mapped to emulate the physical memory of guest machine.
The final result of the information leakage is given as the cover image of this post.
Read More »
QEMU escape: Part 2 Debugging Environment Set-up
Introduction
In the previous part, I give an introduction on how to create an ubuntu image for QEMU. However, after beginning to analyse the qemu vulnerability I feel the debugging process is very uncomfortable. What I prefer is just a terminal of QEMU with a guest running on that. This makes me recall what I do on Syzkaller fuzzer.
In this post, I just list the necessary steps to create a much more friendly debugging environment.
Read More »
X-MAS CTF 2017 PWN ChildVM Write-up
Introduction
This challenge is much easier than the VM escape challenge in SECCON 2017. It emulates parts of simple operations on CPU.
Read More »
SECCON2017 QUALS PWN VM_NO_FUN Write-up
Introduction
In this challenge, it gives a simplified model of virtual machine, that emulates the operations on CPU and an mapped IO. Beginning from this challenge, I plan to give a series of write-ups on virtual machine escape. This post is completely based on [1].
Read More »
Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript
Introduction
This paper was published in DIMVA 2016. In this paper, the author proposed a software-induced rowhammer attack. To demonstrate the effectiveness of their attack, the author presented a rowhammer attack using JavaScript on Firefox 39.0. In this post, I will first give background of Rowhammer attack and then how this paper deploy the attack from JavaScript.
Read More »
QEMU escape: Part 1 Environment Set-up
Introduction
As a totally newbie in virtualization technology, this post will gives more details in setting up the testing environment for QEMU based on [1].
Read More »
Go for VM escape!
Introduction
After the spring festival, I am considering what to do besides my research work. Since it seems that VM escape has become a routine challenge in recent CTFs. A zero day is even used as a challenge in 34C3 CTF. I think it’s time to start a new journey on vm escape.Read More »
氷 菓 