OpenSkillIndex← back to search

Hacktricks-skills slirp-nat-heap-exploitation

Analyze and understand VirtualBox Slirp NAT packet heap exploitation vulnerabilities. Use this skill whenever the user needs to understand Slirp NAT heap corruption, mbuf allocator exploitation, UMA zone hijacking, or similar allocator-based vulnerabilities in network stacks. Also use when analyzing packet buffer overflows, heap grooming techniques, or when creating educational content about VirtualBox security research.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/binary-exploitation/libc-heap/virtualbox-slirp-nat-packet-heap-exploitation/SKILL.MD
source content

Slirp NAT Heap Exploitation Analysis

A skill for understanding and analyzing VirtualBox Slirp NAT packet heap exploitation vulnerabilities, including mbuf allocator corruption, UMA zone hijacking, and heap grooming techniques.

When to Use This Skill

Use this skill when:

  • Analyzing Slirp NAT or similar network stack vulnerabilities
  • Understanding mbuf allocator exploitation patterns
  • Studying UMA zone hijacking techniques
  • Creating educational content about VirtualBox security
  • Analyzing packet buffer overflow vulnerabilities
  • Understanding heap grooming for deterministic exploitation
  • Researching guest-to-host escape vectors

Core Vulnerability Mechanics

1. Packet Allocator Anatomy

VirtualBox uses a custom zone allocator for Slirp packet buffers (mbufs):

struct item {
    uint32_t magic;      // 0xdead0001
    void    *zone;       // uma_zone_t pointer with callbacks
    uint32_t ref_count;
    LIST_ENTRY(item) list; // freelist / used list links
};

Key insight: Each 0x800-byte data chunk has an inline header. When freed, 

slirp_uma_free()
trusts this header and executes 
zone->pfFini()
and 
zone->pfDtor()
callbacks.

2. The m->m_len Override Primitive

At the top of 

ip_input()
:

if (m->m_len != RT_N2H_U16(ip->ip_len))
    m->m_len = RT_N2H_U16(ip->ip_len);

Exploitation vector: Guest can advertise any 

ip_len
up to 0xffff. The assignment happens before IP header verification, destroying all later bounds checks.

3. Infoleak Primitive

Use UDP packets with checksum 

0
(no checksum). The NAT fast-path forwards 
m->m_len
bytes without inspecting payload integrity.

What can be leaked:

  • Next mbuf's inline 
    struct item
    (reveals freelist order, real 
    zone
    pointer)
  • Heap cookies like 
    magic
    fields
  • Zone structure addresses
  • Neighboring chunk metadata

4. Overwrite Primitive via IP Options

Force packets through 

ip_stripoptions()
by:

  1. Supplying long 
    ip_len
    so computed move length extends past current mbuf
  2. Including IP options to trigger the stripping path
  3. memcpy()
    reads from following mbuf and writes over current mbuf's payload and inline header

Result: Can corrupt 

magic
, 
zone
, 
ref_count
, and 
list
pointers.

5. UMA Zone Hijacking

Once adjacent 

struct item
is corruptible:

  1. Build fake 

    uma_zone
    structure inside guest-controlled mbuf:

    • pfFini
      → PLT entry of 
      memcpy()
    • pData
      → destination pointer (GOT entry, vtable slot, function pointer)
    • size
      → bytes to copy
    • pfDtor
      → optional second stage call

  2. Overwrite target mbuf's 

    zone
    field with fake structure pointer

  3. Free the mbuf → 

    slirp_uma_free()
    executes 
    memcpy(dest, src, size)
    with guest-controlled data

6. Heap Grooming for Deterministic Adjacency

Slirp's per-interface zone is 3072 chunks deep, freelist traversed from high addresses downward.

Grooming technique:

  • Flood NAT with 
    IP_MF
    fragments of constant size
  • Recycle specific chunks by sending fragments that time out
  • Freelist walks in LIFO order, enabling predictable placement

7. From Arbitrary Write to Code Execution

With memcpy-on-free primitive:

  1. Copy 
    /bin/sh
    string and command buffer into stable mbuf
  2. Overwrite GOT entry or indirect callsite with 
    system()
    PLT entry
  3. Trigger the overwritten call

Alternative: Plant ROP chain in heap memory, copy address into frequently-invoked callback.

Analysis Workflow

Step 1: Understand the Allocator

# Use the analysis script to understand heap layout
python scripts/analyze_heap_layout.py --zone-size 0x800 --chunk-count 3072

Step 2: Craft Test Packets

# Generate packets for testing the vulnerability
python scripts/craft_slirp_packet.py \
    --ip-len 0x1000 \
    --udp-checksum 0 \
    --ip-options 16 \
    --output packets.pcap

Step 3: Analyze Memory Layout

  1. Identify zone structure addresses from infoleak
  2. Map freelist order from leaked 
    struct item
    data
  3. Calculate offsets for target corruption

Step 4: Build Exploit Chain

  1. Infoleak phase: Send oversized UDP packets, capture leaked heap data
  2. Grooming phase: Allocate predictable mbuf sequences via fragmentation
  3. Corruption phase: Send IP options packet to overwrite target 
    struct item
  4. Hijack phase: Free corrupted mbuf to trigger fake 
    uma_zone
    callbacks
  5. Payload phase: Execute arbitrary write to GOT/function pointer

Key Concepts to Remember

Why This Works

  1. Trust boundary violation: Guest-supplied 
    ip_len
    trusted before validation
  2. Inline metadata: Allocator header lives adjacent to data, overflowable
  3. Callback trust: 
    pfFini
    /
    pfDtor
    called unconditionally on free
  4. Non-PIE binary: Fixed PLT addresses enable direct function targeting

Common Patterns in Similar Vulnerabilities

  • Length field override: Anywhere user-controlled length is used before validation
  • Inline allocator headers: Metadata adjacent to data is overflow target
  • Callback on free: Any allocator that calls user-controlled functions on free
  • Freelist traversal: Predictable allocation order enables grooming

Defense Considerations

  • Validate all length fields before use
  • Separate metadata from data (not inline)
  • Use canaries in allocator headers
  • Enable PIE/ASLR for address randomization
  • Validate zone pointers before callback execution

Test Cases

Test Case 1: Basic Infoleak

Goal: Verify m->m_len override causes infoleak

Steps:

  1. Send UDP packet with 
    ip_len=0x1000
    , checksum=0
  2. Capture response or observe behavior
  3. Verify data beyond actual packet is read

Test Case 2: Header Corruption

Goal: Verify IP options overflow corrupts adjacent chunk

Steps:

  1. Groom heap with fragmentation
  2. Send packet with IP options and oversized 
    ip_len
  3. Free the packet
  4. Observe corruption in adjacent 
    struct item

Test Case 3: Zone Hijacking

Goal: Verify fake uma_zone triggers controlled callback

Steps:

  1. Leak real zone address
  2. Build fake zone with 
    pfFini=memcpy@plt
  3. Corrupt target mbuf's zone pointer
  4. Free mbuf and verify memcpy executes

References

Related Skills

  • Binary exploitation fundamentals
  • Heap exploitation techniques
  • Network stack vulnerability analysis
  • Guest-to-host escape research