Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What does it mean? #8

Open
Waterman178 opened this issue Oct 26, 2019 · 2 comments
Open

What does it mean? #8

Waterman178 opened this issue Oct 26, 2019 · 2 comments

Comments

@Waterman178
Copy link

"We cannot predict which half of XMM15 will get hit due to the mask we apply to comply with the movaps alignment requirement, so first two pointers should simply point at a [RETN] instruction"

I didn’t understand this paragraph.

Another question:
`NON_PAGED_CODE void KernelShellcode()
{
__writedr( 7, 0 );

uint64_t Cr4Old = __readgsqword( Offset_Pcr__Prcb + Offset_Prcb__Cr4 );
__writecr4( Cr4Old & ~( 1 << 20 ) );<------------------------disable cpu smep again?

__swapgs();
    ......

}`
You have disabled cpu smep, why disable smep again in KernelShellcode?
In addition, the operating system automatically restores smep every time a thread switch occurs(KiSwapContext). At this point, when your thread starts executing the remaining instructions, an exception will be thrown.
@can1357
Copy link
Owner

can1357 commented Oct 27, 2019
edited
Loading

"We cannot predict which half of XMM15 will get hit due to the mask we apply to comply with the movaps alignment requirement, so first two pointers should simply point at a [RETN] instruction"

Refer to https://github.com/can1357/CVE-2018-8897/blob/master/Main.cpp#L289. We need a write what where but it needs to be aligned by 16 bytes due to "movaps" instruction. So we pad the actual ROP gadgets with RETN.

You have disabled cpu smep

We wrote a "working" CR4 in https://github.com/can1357/CVE-2018-8897/blob/master/Main.cpp#L343, which doesnt necessarily need to be equal to actual CR4 system uses so we restore the original.

@Waterman178
Copy link
Author

"We cannot predict which half of XMM15 will get hit due to the mask we apply to comply with the movaps alignment requirement, so first two pointers should simply point at a [RETN] instruction"

Refer to https://github.com/can1357/CVE-2018-8897/blob/master/Main.cpp#L289. We need a write what where but it needs to be aligned by 16 bytes due to "movaps" instruction. So we pad the actual ROP gadgets with RETN.

You have disabled cpu smep

We wrote a "working" CR4 in https://github.com/can1357/CVE-2018-8897/blob/master/Main.cpp#L343, which doesnt necessarily need to be equal to actual CR4 system uses so we restore the original.

thanks,Unfortunately, it can only be run on a real machine.Is there any other way to test it on a virtual machine?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@can1357 @Waterman178