From 0dbc223aab7f3eb601fb60e57f2abd65f73b7865 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 23 Feb 2021 21:44:09 +0000 Subject: [PATCH] Update README.md --- README.md | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f93cd15..a0c38b9 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ ret However, when the syscall instruction is executed, the address of the next instruction (the one after the syscall instruction) is placed into RCX. In order to preserve RIP, it should be placed onto the stack before any addresses of gadgets are placed onto the stack. -```asm +```nasm lea rax, finish push rax ``` @@ -44,6 +44,30 @@ changing IA32_LSTAR to a ROP chain as described above will work just fine on CPU ### SMAP - Supervisor Mode Access Prevention +SMAP or Supervisor Mode Access Prevention is a CPU protection which prevents accessing data controlled by a higher CPL. In other words, if SMAP is set in CR4, a logical +processor executing kernel code cannot access usermode controlled pages (user supervisor). + +This is an issue with ROP as RSP after a syscall contains a usermode address. Interfacing with this usermode stack in any way will cause a fault. However, you can essentially disable SMAP from usermode. There is a bit in the RFLAGS register which can be set to nullify SMAP. The instruction to set this bit is called `STAC` (Set AC Flag in EFLAGS Register). However this instruction is privilaged and will throw a #UD. However as @drew pointed out, you can `POPFQ` an RFLAGS value with that bit set and the CPU will not throw any exceptions. I assumed that since `STAC` cannot be used in usermode, that `POPFQ` would also throw an exception, however this is not the case... Again thank you @drew, without this key information the project would have been a complete mess as there are no useable `mov cr4, [non rax registers] ; ret` gadgets which exist across windows versions. + +```nasm +pushfq ; thank you drew :) +pop rax ; this will set the AC flag in RFLAGS which "disables SMAP"... +or rax, 040000h ; +push rax ; +popfq ; +``` + +RFLAGS is restored after the syscall instruction. The original RFLAGS value is pushed onto the stack prior to all of the gadgets and other values. + +```nasm +syscall ; LSTAR points at a pop rcx gadget... + ; it will put m_smep_off into rcx... +finish: +popfq ; restore EFLAGS... +pop r10 ; restore r10... +ret +``` + # Lisence TL;DR: if you use this project, rehost it, put it on github, include `_xeroxz` in your release.