This is an exploit for an uninitialized free in nvme:nvme_map_prp()

Overview

scavenger

This is an exploit for an uninitialized free in nvme:nvme_map_prp(). For more information, see the writeup the slides for the talk in Blackhat Asis 2021.

Environment

$ ./qemu-system-x86_64 --version
QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.7)
Copyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers

Command used to start QEMU

./qemu-system-x86_64_exp -enable-kvm -boot c -m 4G -drive format=qcow2,file=./ubuntu.img \
        -nic user,hostfwd=tcp:0.0.0.0:5555-:22 \
        -drive file=./nvme.img,if=none,id=D11 -device nvme,drive=D11,serial=1234,cmb_size_mb=64  \
        -device virtio-gpu -display none

Run

Compile the exploit

make

Then

./exp
You might also like...
Mario Kart 7 semi-primary exploit for the Nintendo 3DS.
Mario Kart 7 semi-primary exploit for the Nintendo 3DS.

kartdlphax kartdlphax is a semiprimary exploit for the download play mode of Mario Kart 7. It can be used to run an userland payload in an unmodified

🎻 Automatic Exploit Generation using symbolic execution

S2E Library This repository contains all the necessary components to build libs2e.so. This shared library is preloaded in QEMU to enable symbolic exec

My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.
My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.

CVE-2021-40449 My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal. short wu along with the UAF vulnerabilty other

Make CVE-2020-0668 exploit work for version < win10 v1903 and version >= win10 v1903
Make CVE-2020-0668 exploit work for version win10 v1903 and version = win10 v1903

CVE-2020-0668 Made CVE-2020-0668 exploit work for version win10 v1903 and version = win10 v1903 Diaghub Exploit ( v1903) powershell exploit works

Exploit for CVE-2021-40449

CVE-2021-40449 More info here: https://kristal-g.github.io/2021/11/05/CVE-2021-40449_POC.html Compiling I did a bit of a hack with the MinHook library

A tool for [(semi-){un-(tethered jailbreak)}] of iOS 10.3.x 32-bit devices with checkm8 BootROM exploit.

p0insettia A tool for [(semi-){un-(tethered jailbreak)}] of iOS 10.3.4 32-bit devices iPhone 5 with checkm8 BootROM exploit. Note All at your own risk

Exploit for CVE-2021-30807

Write up is here: https://jsherman212.github.io/2021/11/28/popping_ios14_with_iomfb.html Exploit for CVE-2021-30807. If you really want to build a jai

Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)
Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)

CallbackHell Exploit for CVE-2021-40449 (Win32k - LPE) CallbackHell Description Technical Writeup PoC References Description CVE-2021-40449 is a use-a

Gex is an iOS 14.7 jailbreak using CVE-2021-30807 IOMFB exploit

Gex is an iOS 14.7 jailbreak using CVE-2021-30807 IOMFB exploit rest of this readme is from jsherman212's exploit repo and probably stuff that is abou

Owner
Hadas
CTFer,interested in system/virtualization security.
Hadas
FastPath_MP: An FPGA-based multi-path architecture for direct access from FPGA to NVMe SSD

FastPath_MP Description This repository stores the source code of FastPath_MP, an FPGA-based multi-path architecture for direct access from FPGA to NV

Beehive lab 21 Sep 12, 2022
Android PoC to read/write Huawei's NVME image

hisi-nve Android PoC to read/write Huawei's NVME image Disclaimers Use this tool at your own risk and always backup NVME. This tool was made for educa

Roger Ortiz 19 Dec 15, 2022
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Faith 130 Nov 18, 2022
A simple Roblox exploit written in C++ Everything in the C++ file is original work besides the dependencies, free for you to use.

headhunter A simple Roblox exploit written in C++ Everything in the C++ file is original work besides the dependencies, free for you to use. This code

ster ster 45 Jan 5, 2023
A FREE Windows C development course where we will learn the Win32API and reverse engineer each step utilizing IDA Free in both an x86 and x64 environment.

FREE Reverse Engineering Self-Study Course HERE Hacking Windows The book and code repo for the FREE Hacking Windows book by Kevin Thomas. FREE Book Do

Kevin Thomas 1.1k Dec 27, 2022
collection of C/C++ programs that try to get compilers to exploit undefined behavior

------------------------------------------------------------------------------- UB Canaries: A collection of C/C++ programs that detect undefined beh

John Regehr 161 Nov 22, 2022
Demo exploit code for CVE-2020-27904, a tfp0 bug.

xattr-oob-swap CVE-2020-27904: a tfp0 bug for macOS 10.15.x and below. Demo exploit code for my talk at BlackHat ASIA 2021. The vulnerability has been

null 64 Nov 9, 2022
Exploit to SYSTEM for CVE-2021-21551

CVE-2021-21551 Exploit to SYSTEM for CVE-2021-21551 SpoolPrinter Privesc using SeImpersonatePrivileges was made thanks to

null 237 Dec 14, 2022
a reliable C based exploit for CVE-2021-3560.

CVE-2021-3560 a reliable C based exploit for CVE-2021-3560. Summary: Yestreday i stumbled upon this blog post by Kevin Backhouse (discovered this vuln

hakivvi 34 Jun 21, 2022
Exploit allowing you to read registry hives as non-admin on Windows 10 and 11

HiveNightmare aka SeriousSam, or now CVE-2021–36934. Exploit allowing you to read any registry hives as non-admin. What is this? An zero day exploit f

Kevin Beaumont 618 Jan 1, 2023