scavenger

This is an exploit for an uninitialized free in nvme:nvme_map_prp(). For more information, see the writeup the slides for the talk in Blackhat Asis 2021.

Environment

$ ./qemu-system-x86_64 --version
QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.7)
Copyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers

Command used to start QEMU

./qemu-system-x86_64_exp -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img \
        -nic user,hostfwd=tcp:0.0.0.0:5555-:22 \
        -drive file=./nvme.img,if=none,id=D11 -device nvme,drive=D11,serial=1234,cmb_size_mb=64  \
        -device virtio-gpu -display none

Run

Compile the exploit

make

Then

./exp

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
exploit		exploit
poc		poc
README.md		README.md
as-21-Pan-Scavenger-Misuse-Error-Handling-Leading-To-QEMU-KVM-Escape.pdf		as-21-Pan-Scavenger-Misuse-Error-Handling-Leading-To-QEMU-KVM-Escape.pdf
writeup.md		writeup.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

scavenger

Environment

Run

About

Releases

Packages

Languages

hustdebug/scavenger

Folders and files

Latest commit

History

Repository files navigation

scavenger

Environment

Run

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages