This is an exploit for CVE-2019-6778, a heap buffer overflow in slirp:tcp_emu(). For more information, see the chinese writeup (or Google Translated version) and the slides for the talk in Tensec 2019 by Marco and me.
$ ./qemu-system-x86_64 --version
QEMU emulator version 3.1.50 (v3.1.0-456-g9b2e891ec5-dirty)
Copyright (c) 2003-2018 Fabrice Bellard and the QEMU Project developers
Command used to start QEMU
./qemu-system-x86_64_exp -drive file=ubuntu-18.04-desktop-amd64.snapshot.qcow2,format=qcow2 -enable-kvm -m 2G -L ./pc-bios -smp 1 -device VGA -net user,hostfwd=tcp::2222-:22 -net nic
To simply verify the QEMU is vulnerable, run sudo nc -lvv 113
on the host. Then compile and run the crash poc in the guest.
For the exploit:
Compile
gcc -o exp exp.c
Set MTU for the network card before running the exploit
ifconfig ens2 mtu 9000 up
Then
./exp