-
-
[原创] 关于CVE-2015-5165 以及CVE-2015-7504 的QEMU VM ESCAPE测试环境搭建,分析以及利用
-
发表于: 2018-3-15 21:30
-
感觉最近CTF比赛里面VM escape都快成常见题了,于是决定学习一波虚拟机逃逸。
本文主要基于去年phrack上的一篇文章[1]。但分析完后发现,除了info leak阶段没有太大变动之外,从调试环境到拿到主机上的flag都做了很大的修改。
于是想把分析的过程分享出来。论坛里面貌似只有人做过翻译,但实际做起来发现差别还是挺大的。
废话不说,先上结果
Info Leak
Hijack Control Flow
拿到flag
具体分析过程,请参见我的博客
1. cd7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6V1j5h3&6Y4L8$3E0&6L8#2)9J5k6h3#2W2i4K6u0r3x3U0l9I4z5q4)9J5c8U0l9K6i4K6u0r3x3o6u0Q4x3V1k6I4k6h3#2#2i4K6u0V1k6i4y4U0j5i4m8W2i4K6u0V1M7r3q4J5N6q4)9J5k6o6q4Q4x3X3c8W2L8Y4k6A6M7X3!0F1L8h3g2F1N6q4)9J5k6s2y4W2N6q4)9J5k6s2g2H3i4K6u0r3
2. 59dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6V1j5h3&6Y4L8$3E0&6L8#2)9J5k6h3#2W2i4K6u0r3x3U0l9I4z5q4)9J5c8U0l9K6i4K6u0r3x3o6S2Q4x3V1k6I4k6h3#2#2i4K6u0V1k6i4y4U0j5i4m8W2i4K6u0V1M7r3q4J5N6q4)9J5k6o6u0Q4x3X3c8V1k6h3u0#2k6$3N6A6L8X3N6Q4x3X3c8W2L8Y4k6A6M7X3!0F1L8h3g2F1N6q4)9J5k6s2y4W2N6q4)9J5k6s2g2H3i4K6u0r3
3. ae8K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6V1j5h3&6Y4L8$3E0&6L8#2)9J5k6h3#2W2i4K6u0r3x3U0l9I4z5q4)9J5c8U0l9K6i4K6u0r3x3o6S2Q4x3V1k6I4k6h3#2#2i4K6u0V1k6i4y4U0j5i4m8W2i4K6u0V1M7r3q4J5N6q4)9J5k6o6y4Q4x3X3c8A6L8X3k6G2M7X3#2S2N6r3W2G2L8W2)9J5k6r3I4W2j5h3E0S2k6$3g2Q4x3X3c8U0N6X3g2Q4x3X3b7J5x3o6p5#2i4K6u0V1y4e0p5$3y4g2)9J5c8R3`.`.
4. c11K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6V1j5h3&6Y4L8$3E0&6L8#2)9J5k6h3#2W2i4K6u0r3x3U0l9I4z5q4)9J5c8U0l9K6i4K6u0r3x3e0c8Q4x3V1k6I4k6h3#2#2i4K6u0V1k6i4y4U0j5i4m8W2i4K6u0V1M7r3q4J5N6q4)9J5k6o6c8Q4x3X3c8Z5K9h3A6S2j5$3E0Q4x3X3c8U0L8$3&6@1M7X3!0D9i4K6u0V1k6X3I4G2N6#2)9J5c8R3`.`.
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
楼主QQ twitter多少?交流交流~
|
|
|
有的twitter搜我ID就是。 |
