Qemu stosb vulnerability lives again, exploit POC inside :D

A place to submit all custom code, scripts, and programs.
Forum rules
Do NOT post malicious code or programs. Please review all code posted in this forum before downloading or running any of the code or programs here.

Qemu stosb vulnerability lives again, exploit POC inside :D

Post by MadM0use on Thu Apr 09, 2015 3:24 pm
([msg=87648]see Qemu stosb vulnerability lives again, exploit POC inside :D[/msg])

Ever seen a vulnerability come back to life because of a bad patch? I sure have lol

Code: Select all
// ------------------------------------------------------------------------------
// THE BEER-WARE LICENSE (Revision 43):
// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
// can do whatever you want with this stuff. If we meet some day, and you think
// this stuff is worth it, you can buy me a beer in return
// ------------------------------------------------------------------------------

#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/mman.h>

int main(unsigned a);

__sighandler_t handler(int sig)
{
   switch(sig)
   {
      case SIGSEGV:
         main(0xC0DE);
      break;
   }
}
unsigned qemu(void)
{
   void *page =(void *) ((unsigned long) (&&assembly) &~(getpagesize() - 1));
   mprotect(page, getpagesize(), PROT_READ | PROT_WRITE | PROT_EXEC);
assembly: asm volatile(
".intel_syntax noprefix\n"
   "mov eax, 0x90\n"
   "mov ecx, 9\n"
   "mov edi, offset $\n"
   "rep stosb\n"
   "jmp _qemu\n"
   "jecxz noqemu\n"
"_qemu:\n"
   "mov eax, 1\n"
   "ret\n"
"noqemu:\n"
   "xor eax, eax\n");
}


int main(unsigned a)
{
   if(a==0xC0DE) goto matrix;
   signal(SIGSEGV, &handler);
   
   if(qemu()) goto matrix;
   puts("Isn't real life boring?");
   exit(0);

matrix:
   puts("The Matrix haz you Neo...");
   exit(1);
}




Shame on you impatient developers lol



Here is the obligatory Windows version lol
Code: Select all
// ------------------------------------------------------------------------------
// THE BEER-WARE LICENSE (Revision 43):
// <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
// can do whatever you want with this stuff. If we meet some day, and you think
// this stuff is worth it, you can buy me a beer in return
// ------------------------------------------------------------------------------

#include <iostream>
#include <windows.h>

unsigned qemu(void)
{
__asm{
        mov eax, 0x90      // move a nop into eax for copying
        mov ecx, 9      // move 9 into ecx for the number of bytes the byte code is from the offset to the jmp
off:    mov edi, offset off   // mov the address of the start of this instruction into edi for rep
        rep stosb      // finally, repeat that byte over the memory region
        jmp _qemu      // this should be overwritten, if it isnt, some naughty child is running an old version of qemu lol, and they are in the matrix
        jecxz noqemu      // if ecx is 0, we are not in the matrix by definition lol, if it is not 0, then
_qemu:            // this is the matrix
        mov eax, 1      // follow cdecl calling convention and return 1 in eax
        ret
noqemu:            // this is not the matrix
   xor eax, eax};      // return 0 according to cdecl calling convention
}

int seh_filter(unsigned code, struct _EXCEPTION_POINTERS* ep)
{
   return EXCEPTION_EXECUTE_HANDLER;
}

int _tmain(int a, _TCHAR* argv[])
{
   DWORD funSize, oldProtect;
   VirtualProtect(qemu, 0x14, PAGE_EXECUTE_READWRITE, &oldProtect);
   __try
   {
      if(qemu()) goto matrix;
   }
   __except(seh_filter(GetExceptionCode(), GetExceptionInformation()))
   {
      goto matrix;
   }
   std::cout << "Isn't real life boring?"<<std::endl;
   exit(0);
matrix:
   std::cout << "The Matrix haz you Neo..."<<std::endl;
   exit(1);
}
const char main[]="\xeb\xfe -> A fully functional program in C";

<@MadMouse> i am forgot what i was doing today but i had motivation and a distinct plan when i woke up stoned right now

http://pastebin.com/FnwUG5KS
Books:
http://goo.gl/muPm3d
User avatar
MadM0use
Experienced User
Experienced User
 
Posts: 70
Joined: Thu Sep 11, 2014 10:30 pm
Blog: View Blog (0)


Return to Custom Code

Who is online

Users browsing this forum: No registered users and 0 guests