From 2bd03f36a583c824d8bd5c3d0a8e45aa41821a99 Mon Sep 17 00:00:00 2001
From: Kenneth Adam Miller <kennethadammiller@gmail.com>
Date: Sat, 7 Sep 2024 16:00:33 -0500
Subject: [PATCH 1/5] Initial commit with qemu submodule and vm-escape

---
 .gitmodules | 3 +++
 qemu        | 1 +
 2 files changed, 4 insertions(+)
 create mode 100644 .gitmodules
 create mode 160000 qemu

diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..bd8880f
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "qemu"]
+	path = qemu
+	url = https://github.com/qemu/qemu.git
diff --git a/qemu b/qemu
new file mode 160000
index 0000000..ec08d9a
--- /dev/null
+++ b/qemu
@@ -0,0 +1 @@
+Subproject commit ec08d9a51e6af3cd3edbdbf2ca6e97a1e2b5f0d1

From 76c949de8d266749d71fe8fbf9ec704f943202e4 Mon Sep 17 00:00:00 2001
From: Kenneth Adam Miller <kennethadammiller@gmail.com>
Date: Sat, 7 Sep 2024 16:01:44 -0500
Subject: [PATCH 2/5] Initial working build of old vulnerable QEMU with
 Dockerfile

---
 Dockerfile | 12 ++++++++++++
 qemu       |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 Dockerfile

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..7983ef2
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,12 @@
+FROM ubuntu:18.04
+RUN apt-get update && apt-get install git -y
+RUN git clone https://github.com/qemu/qemu.git
+WORKDIR qemu
+RUN git checkout bd80b59 
+RUN DEBIAN_FRONTEND=noninteractive apt-get install python gcc bison flex make libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build -y 
+RUN mkdir -p bin/debug/native && \
+	cd bin/debug/native && \
+	../../../configure --target-list=x86_64-softmmu --enable-debug \
+        --disable-werror
+RUN cd bin/debug/native && make
+
diff --git a/qemu b/qemu
index ec08d9a..bd80b59 160000
--- a/qemu
+++ b/qemu
@@ -1 +1 @@
-Subproject commit ec08d9a51e6af3cd3edbdbf2ca6e97a1e2b5f0d1
+Subproject commit bd80b5963f58c601f31d3186b89887bf8e182fb5

From d2f3e2d41fdaf0d0d8d83fa4ec7eca6a330b39ac Mon Sep 17 00:00:00 2001
From: Kenneth Adam Miller <kennethadammiller@gmail.com>
Date: Wed, 11 Sep 2024 01:43:22 -0500
Subject: [PATCH 3/5] Successfully setup build environment for replicating
 vm-escape

---
 .gitignore       |  2 ++
 Dockerfile       | 23 ++++++++++++++++++++++-
 Makefile         |  1 +
 init.sh          |  9 +++++++++
 run_vm_escape.sh |  8 ++++++++
 vm-escape.c      |  6 +++++-
 6 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 .gitignore
 create mode 100755 init.sh
 create mode 100755 run_vm_escape.sh

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..49b774c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+newinitrd.img
+./extracted/**/**
diff --git a/Dockerfile b/Dockerfile
index 7983ef2..36166f7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,5 +8,26 @@ RUN mkdir -p bin/debug/native && \
 	cd bin/debug/native && \
 	../../../configure --target-list=x86_64-softmmu --enable-debug \
         --disable-werror
-RUN cd bin/debug/native && make
+RUN cd bin/debug/native && make && make install
+RUN DEBIAN_FRONTEND=noninteractive apt-get install cpio initramfs-tools-core -y
+# (mkinitramfs -o initrd || true) && \
+RUN mkdir -p /qemu/tmp/tmp/extracted/ 
+COPY extracted /qemu/tmp/tmp/extracted
+#unmkinitramfs initrd ./extracted  &&  \
+RUN cd /qemu/tmp/tmp    && \
+    cd extracted   && \
+    cd early  &&  \
+    find . -print0 | cpio --null --create --format=newc > /qemu/tmp/tmp/newinitrd   && \
+    cd ../early2   && \
+    find kernel -print0 | cpio --null --create --format=newc >> /qemu/tmp/tmp/newinitrd
+
+COPY run_vm_escape.sh ./
+RUN apt-get install wget -y
+RUN wget https://storage.googleapis.com/kvmctf/latest.tar.gz
+RUN tar xzf latest.tar.gz
+RUN cp kvmctf-6.1.74/bzImage/bzImage ./ && mkdir /vm-escape
+COPY ./vm-escape.c ./Makefile /vm-escape
+RUN make -C /vm-escape/ && cp /vm-escape/vm-escape /qemu/tmp/tmp/extracted/main/bin
+RUN cd /qemu/tmp/tmp/extracted/main   && \
+    find . | cpio --create --format=newc | xz --format=lzma >> /qemu/tmp/tmp/newinitrd
 
diff --git a/Makefile b/Makefile
index 841ea2e..7f6fd38 100644
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,4 @@
+LDFLAGS= -pthread  -lpthread
 CFLAGS=-g -lpthread -std=c11 -D_DEFAULT_SOURCE
 
 all: vm-escape
diff --git a/init.sh b/init.sh
new file mode 100755
index 0000000..3f72318
--- /dev/null
+++ b/init.sh
@@ -0,0 +1,9 @@
+#mkinitramfs, extract ramdisk.img
+mkinitramfs -o ramdisk.img
+unmkinitramfs ramdisk.img ./extracted
+
+#build everything
+docker build . -t vm_escape
+
+#run docker run_vm_escape
+docker run --device=/dev/kvm -ti vm_escape ./run_vm_escape.sh
diff --git a/run_vm_escape.sh b/run_vm_escape.sh
new file mode 100755
index 0000000..d73f503
--- /dev/null
+++ b/run_vm_escape.sh
@@ -0,0 +1,8 @@
+qemu-system-x86_64 -enable-kvm -m 2048 -display vnc=:89 \
+        -netdev user,id=t0, -device rtl8139,netdev=t0,id=nic0 \
+        -netdev user,id=t1, -device pcnet,netdev=t1,id=nic1 \
+	-L ./qemu/pc-bios \
+	-nographic \
+	-append "console=ttyS0 nokaslr" \
+	-initrd /qemu/tmp/tmp/newinitrd \
+	-boot c -kernel ./bzImage
diff --git a/vm-escape.c b/vm-escape.c
index 68a273d..44e436c 100644
--- a/vm-escape.c
+++ b/vm-escape.c
@@ -725,6 +725,10 @@ size_t qemu_get_leaked_chunk(struct rtl8139_ring *ring, size_t nb_packet,
 			}
 		}
 	}
+	if (!nb_leak) {
+		warnx("[!] searched %lu packets with %lu size, %"PRIxHPTR", no chunk found", 
+				nb_packet, size, (long unsigned) leak);
+	}
 	return nb_leak;
 }
 
@@ -1015,7 +1019,7 @@ int main()
 	if (!nb_leak) {
 		errx(-1, "[!] failed to find usable chunks");
 	}
-	warnx("[+] found %d potential ObjectProperty structs in memory", nb_leak);
+	warnx("[+] found %lu potential ObjectProperty structs in memory", nb_leak);
 
 	score = qemu_get_leaked_object_property(leak, nb_leak,
 	                                        &leak_object,

From 0447b803104f388919f90d97ccb997fb2d93d5cf Mon Sep 17 00:00:00 2001
From: Kenneth Adam Miller <kennethadammiller@gmail.com>
Date: Wed, 11 Sep 2024 01:45:02 -0500
Subject: [PATCH 4/5] Tweak gitignore to prevent artifact leaking into version
 control

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 49b774c..d66cd4e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 newinitrd.img
 ./extracted/**/**
+ramdisk.img

From 9b59a35c7a7e7d730f8938afb9010cbc77f66e65 Mon Sep 17 00:00:00 2001
From: Kenneth Adam Miller <kennethadammiller@gmail.com>
Date: Wed, 11 Sep 2024 01:59:27 -0500
Subject: [PATCH 5/5] Ignore dirty working dir from version control

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index d66cd4e..92c6c0a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 newinitrd.img
 ./extracted/**/**
 ramdisk.img
+/extracted/