QEMU Internal: PCNET

Introduction

This post will give a basic introduction on how QEMU emulates a pcnet network card from the view of source code. In QEMU, pcnet-pci.c and pcnet.c are the most important two files that are related with pcnet network card emulation. From my point of view, pcnet-pci.c is for emulating the operation between the QEMU and pcnet device, including device initialization and device IO communication; pcnet.c is for emulating the operation between QEMU and the guest machine, including packet transmission and data processing.
This post post will pick part of the source code of QEMU for explaining the internal of QEMU.
(more…)

QEMU Escape: Part 6 Put Everything Together (another trial)

Introduction

In my previous blog, I mention that MADV_DONTFORK is set to the virtual memory region, which is used as the physical memory of guest machine. In another word, the memory set to MADV_DONTFORK will not be passed to the forked process. In this post, I will prove this hypothesis by undoing the MADV_DONTFORK flag of the memory region and display the flag.

In the exploit given in [1] and [2], the author first changes the protection flag of the PHY_MEM to RWX and prepares the shellcode in PHY_MEM to undo the MADV_DONTFORK flag of PHY_MEM. From my perspective, such a method is tedious for the purpose of this post. Alternatively, I choose to prove the hypothesis via code reuse attack directly.
(more…)

N1CTF 2018 PWN NULL Write-up

Introduction

Working in the wrong direction means going far away. After reading the write-up in [1], I think this is not a difficult challenge. During the contest, I was hesitating between House of Orange and House of Mind. After reaching dead end in both solutions, I hope to seek some hints from the title of the challenge. Therefore I turn to this post [2], seeking some possible hints in file stream on /dev/null. But the result shows that I think too much on that and I should start from the easier ones.
I need to record what I think during the contest and set a reminder for myself.
(more…)