Skip to content

Update to provide docker based replication #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
KennethAdamMiller wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Update to provide docker based replication #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2bd03f3
Initial commit with qemu submodule and vm-escape
KennethAdamMiller Sep 7, 2024
76c949d
Initial working build of old vulnerable QEMU with Dockerfile
KennethAdamMiller Sep 7, 2024
d2f3e2d
Successfully setup build environment for replicating vm-escape
KennethAdamMiller Sep 11, 2024
0447b80
Tweak gitignore to prevent artifact leaking into version control
KennethAdamMiller Sep 11, 2024
9b59a35
Ignore dirty working dir from version control
KennethAdamMiller Sep 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
newinitrd.img
./extracted/**/**
ramdisk.img
/extracted/
3 changes: 3 additions & 0 deletions .gitmodules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[submodule "qemu"]
path = qemu
url = https://github.com/qemu/qemu.git
33 changes: 33 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
FROM ubuntu:18.04
RUN apt-get update && apt-get install git -y
RUN git clone https://github.com/qemu/qemu.git
WORKDIR qemu
RUN git checkout bd80b59
RUN DEBIAN_FRONTEND=noninteractive apt-get install python gcc bison flex make libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build -y
RUN mkdir -p bin/debug/native && \
cd bin/debug/native && \
../../../configure --target-list=x86_64-softmmu --enable-debug \
--disable-werror
RUN cd bin/debug/native && make && make install
RUN DEBIAN_FRONTEND=noninteractive apt-get install cpio initramfs-tools-core -y
# (mkinitramfs -o initrd || true) && \
RUN mkdir -p /qemu/tmp/tmp/extracted/
COPY extracted /qemu/tmp/tmp/extracted
#unmkinitramfs initrd ./extracted && \
RUN cd /qemu/tmp/tmp && \
cd extracted && \
cd early && \
find . -print0 | cpio --null --create --format=newc > /qemu/tmp/tmp/newinitrd && \
cd ../early2 && \
find kernel -print0 | cpio --null --create --format=newc >> /qemu/tmp/tmp/newinitrd

COPY run_vm_escape.sh ./
RUN apt-get install wget -y
RUN wget https://storage.googleapis.com/kvmctf/latest.tar.gz
RUN tar xzf latest.tar.gz
RUN cp kvmctf-6.1.74/bzImage/bzImage ./ && mkdir /vm-escape
COPY ./vm-escape.c ./Makefile /vm-escape
RUN make -C /vm-escape/ && cp /vm-escape/vm-escape /qemu/tmp/tmp/extracted/main/bin
RUN cd /qemu/tmp/tmp/extracted/main && \
find . | cpio --create --format=newc | xz --format=lzma >> /qemu/tmp/tmp/newinitrd

1 change: 1 addition & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
LDFLAGS= -pthread -lpthread
CFLAGS=-g -lpthread -std=c11 -D_DEFAULT_SOURCE

all: vm-escape
9 changes: 9 additions & 0 deletions init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#mkinitramfs, extract ramdisk.img
mkinitramfs -o ramdisk.img
unmkinitramfs ramdisk.img ./extracted

#build everything
docker build . -t vm_escape

#run docker run_vm_escape
docker run --device=/dev/kvm -ti vm_escape ./run_vm_escape.sh
1 change: 1 addition & 0 deletions qemu
Open in desktop
Submodule qemu added at bd80b5
8 changes: 8 additions & 0 deletions run_vm_escape.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
qemu-system-x86_64 -enable-kvm -m 2048 -display vnc=:89 \
-netdev user,id=t0, -device rtl8139,netdev=t0,id=nic0 \
-netdev user,id=t1, -device pcnet,netdev=t1,id=nic1 \
-L ./qemu/pc-bios \
-nographic \
-append "console=ttyS0 nokaslr" \
-initrd /qemu/tmp/tmp/newinitrd \
-boot c -kernel ./bzImage
6 changes: 5 additions & 1 deletion vm-escape.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -725,6 +725,10 @@ size_t qemu_get_leaked_chunk(struct rtl8139_ring *ring, size_t nb_packet,
}
}
}
if (!nb_leak) {
warnx("[!] searched %lu packets with %lu size, %"PRIxHPTR", no chunk found",
nb_packet, size, (long unsigned) leak);
}
return nb_leak;
}

Expand Down Expand Up @@ -1015,7 +1019,7 @@ int main()
if (!nb_leak) {
errx(-1, "[!] failed to find usable chunks");
}
warnx("[+] found %d potential ObjectProperty structs in memory", nb_leak);
warnx("[+] found %lu potential ObjectProperty structs in memory", nb_leak);

score = qemu_get_leaked_object_property(leak, nb_leak,
&leak_object,
Expand Down