Last active
December 18, 2015 09:59
-
-
Save defuse/5765842 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Little program for testing return from interrupt privilege check. | |
| .intel_syntax noprefix | |
| .text | |
| .global main | |
| main: | |
| # Print the CS | |
| mov eax, cs | |
| push eax | |
| lea eax, cs_is | |
| push eax | |
| call printf | |
| add esp, 8 | |
| # Set up the interrupt stack stuff, that iret restores. | |
| mov eax, ss | |
| push eax | |
| mov eax, esp # ss:esp | |
| push eax | |
| pushfd # EFLAGS | |
| mov eax, cs | |
| # Clear the CPL bits in cs (ring 0) | |
| and eax, 0xFFFFFFFC | |
| push eax | |
| lea eax, rofl | |
| push eax # cs:eip | |
| # The intel manual does not mention a privilege check when returning from | |
| # a ring 3 interrupt handler, so maybe this will actually work? | |
| # nope - generates a segfault on my machine. | |
| iret | |
| mov eax, 0 | |
| ret | |
| rofl: | |
| mov eax, 1 | |
| mov ebx, 3 | |
| int 0x80 | |
| cs_is: .asciz "cs is %d\n" | |
| .data | |
| gdtr: .byte 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment