CVE-2018-8897 icon indicating copy to clipboard operation
CVE-2018-8897 copied to clipboard

Published 20 hours ago verified publisher icon can1357

What does it mean?

Open Waterman178 opened this issue 5 years ago • 2 comments

"We cannot predict which half of XMM15 will get hit due to the mask we apply to comply with the movaps alignment requirement, so first two pointers should simply point at a [RETN] instruction"

I didn’t understand this paragraph.

Another question: `NON_PAGED_CODE void KernelShellcode() { __writedr( 7, 0 );

uint64_t Cr4Old = __readgsqword( Offset_Pcr__Prcb + Offset_Prcb__Cr4 );
__writecr4( Cr4Old & ~( 1 << 20 ) );<------------------------disable cpu smep again?

__swapgs();
    ......

}` You have disabled cpu smep, why disable smep again in KernelShellcode? In addition, the operating system automatically restores smep every time a thread switch occurs(KiSwapContext). At this point, when your thread starts executing the remaining instructions, an exception will be thrown.

Waterman178 avatar Oct 26 '19 22:10 Waterman178

"We cannot predict which half of XMM15 will get hit due to the mask we apply to comply with the movaps alignment requirement, so first two pointers should simply point at a [RETN] instruction"

Refer to https://github.com/can1357/CVE-2018-8897/blob/master/Main.cpp#L289. We need a write what where but it needs to be aligned by 16 bytes due to "movaps" instruction. So we pad the actual ROP gadgets with RETN.

You have disabled cpu smep

We wrote a "working" CR4 in https://github.com/can1357/CVE-2018-8897/blob/master/Main.cpp#L343, which doesnt necessarily need to be equal to actual CR4 system uses so we restore the original.

can1357 avatar Oct 27 '19 06:10 can1357

"We cannot predict which half of XMM15 will get hit due to the mask we apply to comply with the movaps alignment requirement, so first two pointers should simply point at a [RETN] instruction"

Refer to https://github.com/can1357/CVE-2018-8897/blob/master/Main.cpp#L289. We need a write what where but it needs to be aligned by 16 bytes due to "movaps" instruction. So we pad the actual ROP gadgets with RETN.

You have disabled cpu smep

We wrote a "working" CR4 in https://github.com/can1357/CVE-2018-8897/blob/master/Main.cpp#L343, which doesnt necessarily need to be equal to actual CR4 system uses so we restore the original.

thanks,Unfortunately, it can only be run on a real machine.Is there any other way to test it on a virtual machine?

Waterman178 avatar Oct 27 '19 12:10 Waterman178