Analysis on CVE-2017-16995

Introduction

In this post, I will give a detailed explanation on the exploit development of CVE-2017-16995. This post is based on [1][2][3] and give more debugging information for a better understanding. This post will be divided into 3 parts. Part I will discuss what is eBPF, the basic data structure used in eBPF and how the the eBPF program given in exploit in [1] should be interpreted. Part II will give the analysis on the root cause of this vulnerability. Part III will explain how the exploit is developed, from arbitrary read/write to privilege escalation. Continue reading “Analysis on CVE-2017-16995”

Advertisements

QEMU Escape: Part 5 Put Everything Together (nographic mode)

Screenshot from 2018-03-13 22-07-42

Introduction

Yesterday I have already demonstrated how to hijack the control flow via leaking the base address of heap. Therefore, the only remaining step is to get the shell or view the flag, which will be discussed in this post. The final result is already given in the cover image. The full exploit is given in my github repository [2].
Continue reading “QEMU Escape: Part 5 Put Everything Together (nographic mode)”

QEMU Escape: Part 4 Hijack Control Flow (CVE-2015-7504)

Screenshot from 2018-03-13 22-07-42

Introduction

In the original post on QEMU escape, the author only introduces the details about the out-of-bound overflow (CVE-2015-7504) in QEMU. However, it adds no details on how to hijack the control flow. In this post, I will give more details on how I hijack the control to 0x414141414141 as shown in cover image.
Continue reading “QEMU Escape: Part 4 Hijack Control Flow (CVE-2015-7504)”

QEMU escape: Part 3 Information Leakage (CVE-2015-5165)

Screenshot from 2018-03-08 11-14-48

Introduction

This post will give some more debugging details on CVE-2015-5165. Based on the poc code in [1], we make some modification to the code according to the information of local machine.
As we know, QEMU is an application running on the host machine. The goal of the VM escape in the guest machine is that we have to retrieve the base address of text segment of QEMU application on the host machine and the base address of the virtual memory that are mapped to emulate the physical memory of guest machine.
The final result of the information leakage is given as the cover image of this post.
Continue reading “QEMU escape: Part 3 Information Leakage (CVE-2015-5165)”

Analysis on CVE-2013-2551

Introduction

This vulnerability is an integer overflow vulnerability, which involves a signed comparison between a signed integer and an unsigned integer and results in out-of-bound read. The analysis on root cause has already been available online [2][3]. But these talk few about how they locate the root cause in the binary starting from zero knowledge. In this post, I hope to log how I locate the root cause of the vulnerability starting from the crash. Therefore, the post may look tedious but I will try to demonstrate every step I take in my analysis. Continue reading “Analysis on CVE-2013-2551”