VirtualBox Slirp NAT Packet Heap Exploitation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

TL;DR

• VirtualBox inasafirisha fork iliyorekebishwa sana ya Slirp ambapo packet buffers (mbufs) zinaishi katika custom zone allocator yenye inline metadata na function-pointer callbacks (pfFini, pfDtor).
• Mgeni anaweza kuandika upya trusted m->m_len kwa kutumia attacker-controlled IP header length, ambayo huvunja semua checks za bounds baadaye na kutoa infoleak na overwrite primitives.
• Kwa kutumia vibaya UDP packets zenye checksum 0 na oversized ip_len, mgeni anaweza exfiltrate mbuf tails na metadata ya chunks jirani ili kujua anwani za heap na zone.
• Kutoa crafted IP options kunafanya ip_stripoptions() iite memcpy() kwa data nyingi sana kwa inplace, hivyo mwenye shambulio anaweza kuandika juu header ya struct item ya mbuf inayofuata na kuelekeza field yake ya zone kwa data iliyodhibitiwa kabisa.
• Kutoa free kwa mbuf iliyoharibika husababisha zone->pfFini() kuitwa na arguments zinazotolewa na mshambuliaji; kuiwekea pointer kwa memcpy@plt hutoa primitive ya nakala/andika isiyokuwa na mipaka ambayo inaweza kuelekezwa kwa GOT entries au data nyingine za udhibiti ndani ya binary ya VirtualBox isiyo-PIE.

Packet allocator anatomy

VirtualBox inatenga kila ingress Ethernet frame kutoka kwa per-interface zone inayoitwa zone_clust. Kila kipande cha data cha 0x800-byte kina header ya inline mbele yake:

struct item {
uint32_t magic;      // 0xdead0001
void    *zone;       // uma_zone_t pointer with callbacks
uint32_t ref_count;
LIST_ENTRY(item) list; // freelist / used list links
};

Wakati mbuf inafutwa msururu wa wito m_freem -> ... -> slirp_uma_free() unaaminisha inline header:

1. uma_zfree_arg() inakokotoa tena item = (struct item *)mem - 1 na inapaswa kuthibitisha item->zone, lakini Assert() imeondolewa katika majengo ya uzalishaji.
2. slirp_uma_free() inasoma zone = item->zone na kutekeleza bila masharti zone->pfFini(zone->pData, data_ptr, zone->size) ikifuatiwa na zone->pfDtor(...).

Kwa hivyo, yoyote write-what-where ndani ya kichwa cha mbuf hubadilika kuwa indirect call iliyodhibitiwa wakati wa free().

Infoleak via m->m_len override

Katika mwanzo wa ip_input() VirtualBox iliongeza:

if (m->m_len != RT_N2H_U16(ip->ip_len))
m->m_len = RT_N2H_U16(ip->ip_len);

Because the assignment happens before verifying the IP header, a guest can advertise any length up to 0xffff. The rest of the stack (ICMP, UDP, fragmentation handlers, etc.) assumes m->m_len is trustworthy and uses it to decide how many bytes to copy off the mbuf.

Tumia UDP packets zenye checksum 0 (meaning “no checksum”). NAT fast-path inatuma mbele m->m_len bytes bila kuchunguza uadilifu wa payload, hivyo kuongeza ip_len husababisha Slirp kusoma zaidi ya buffer halisi na kurudisha mabaki ya heap kwa guest au kwa cooperating external helper nje ya NAT. Kwa sababu ukubwa wa chunk ni 2048 bytes, leak inaweza kujumuisha:

• The next mbuf’s inline struct item, revealing the freelist order and the real zone pointer.
• Heap cookies such as magic fields, helping to craft valid-looking headers when performing corruptions later.

Overwriting neighbouring chunk headers with IP options

The same bogus length can be turned into an overwrite primitive by forcing the packet through ip_stripoptions() (triggered when the IP header has options and the payload is UDP/TCP). The helper computes a copy length from m->m_len and then calls memcpy() to slide the transport header over the stripped options:

1. Supply a long ip_len so the computed move length extends past the current mbuf.
2. Include a small number of IP options so Slirp enters the stripping path.
3. When memcpy() runs, it reads from the following mbuf and writes over the current mbuf’s payload and inline header, corrupting magic, zone, ref_count, etc.

Kwa sababu allocator huweka packets kutoka interface ileile contiguous kwenye freelist, overflow hii inagonga kwa utabiri chunk inayofuata baada ya modest heap grooming.

Forging uma_zone_t to hijack pfFini

Once the adjacent struct item is corruptible, the exploit proceeds as follows:

1. Use leaked heap addresses to build a fake uma_zone structure inside a mbuf fully controlled by the guest. Populate:

• pfFini with the PLT entry of memcpy().
• pData with the desired destination pointer (e.g. GOT entry, vtable slot, function pointer array).
• size with the number of bytes to copy.
• Optional: pfDtor as a second stage call (e.g. to invoke the newly-written function pointer).

2. Overwrite the target mbuf’s zone field with the pointer to the fake structure; adjust list pointers so freelist bookkeeping remains consistent enough to avoid crashes.
3. Free the mbuf. slirp_uma_free() now executes memcpy(dest=pData, src=item_data, n=size) while the mbuf still contains guest-controlled data, yielding an arbitrary write.

Because the Linux VirtualBox binary is non-PIE, PLT addresses for memcpy and system are fixed and can be used directly. The guest can also stash strings such as /bin/sh inside another mbuf that remains referenced when the hijacked call executes.

Heap grooming via fragmentation

Slirp’s per-interface zone is 3072 chunks deep and initially carved as a contiguous array whose freelist is traversed from high addresses downward. Deterministic adjacency can be achieved by:

• Flooding the NAT with many IP_MF fragments of constant size so the reassembly code allocates predictable mbuf sequences.
• Recycling specific chunks by sending fragments that time out, forcing frees back into the freelist in LIFO order.
• Using knowledge of the freelist walk to place the future victim mbuf right after the mbuf that will carry the IP options overflow.

This grooming ensures the overflow hits the targeted struct item and that the fake uma_zone remains in-bounds of the leak primitive.

From arbitrary write to host code execution

With the memcpy-on-free primitive:

1. Copy an attacker-controlled /bin/sh string and command buffer into a stable mbuf.
2. Use the primitive to overwrite a GOT entry or indirect callsite (e.g. a function pointer inside the NAT device state) with the PLT entry of system().
3. Trigger the overwritten call. Because VirtualBox runs the NAT device inside the host process, the payload executes with the privileges of the user running VirtualBox, allowing a guest-to-host escape.

Alternative payloads include planting a miniature ROP chain in heap memory and copying its address into a frequently-invoked callback, or repointing pfFini/pfDtor themselves to chained gadgets for repeated writes.

References

• Thinking Outside The Box: Exploiting VirtualBox Slirp NAT Heap Corruption

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.