Meltdown - Lettura dei dati di memoria del processo

1

Ho provato questo PoC:

link

Che funziona per sys_call_table.

Sono stato in grado di leggere l'indirizzo syscall sys_read.

Volevo testarlo con un programma di esempio per leggere il valore della memoria, ma in questo caso non funziona. Qualche idea a qualcuno? Mostra valori come 00 e funziona molto più lentamente.

./pass 
Password : secret
addr 0x7ffc9098b780


./poc 7ffc9098b780
cutoff: 96
0x7ffc9098b780 | 00 00 00 00 00 00 00 00 00   1.006466362648e-25 00

pass.c

#include <stdio.h>

int main(void) {

   char buf[7];

   printf("Password : ");
   fgets(buf, 7, stdin);
   sscanf(buf, "%s", buf);
   printf("addr %p\n",buf);
   while(1)
   {
   }
   printf("Password : %s\n",buf);
   return 0;
}

Grazie,

Aggiornamento 1:

Trovato questo programma che ottiene l'indirizzo fisico da quello virtuale da userspace:

link

Output:

./pagemap2 18135
=== Maps for pid 18135
0x400000           : pfn 0                soft-dirty 1 file/shared 1 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x600000           : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x601000           : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library /home/user/spectre-meltdown-poc/pass
0x206a000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library [heap]
0x206b000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206c000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206d000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206e000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x206f000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2070000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2071000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2072000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2073000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2074000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2075000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2076000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2077000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2078000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2079000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207a000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207b000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207c000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207d000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207e000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x207f000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2080000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2081000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2082000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2083000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2084000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2085000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2086000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2087000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2088000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x2089000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x208a000          : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [heap]
0x7f27b2365000     : pfn 0                soft-dirty 1 file/shared 1 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b253d000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7f27b253e000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7f27b253f000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7f27b2563000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7f27b2564000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7f27b2565000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b2566000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library /lib/x86_64-linux-gnu/ld-2.23.so
0x7f27b2567000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library 
0x7ffe2498c000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498d000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498e000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2498f000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24990000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24991000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24992000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24993000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24994000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24995000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24996000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24997000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24998000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe24999000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499a000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499b000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499c000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499d000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499e000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe2499f000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a0000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a1000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a2000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a3000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a4000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a5000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a6000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a7000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a8000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249a9000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249aa000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249ab000     : pfn 0                soft-dirty 0 file/shared 0 swapped 0 present 0 library [stack]
0x7ffe249ac000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 1 library [stack]
0x7ffe249ca000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [vvar]
0x7ffe249cb000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [vvar]
0x7ffe249cc000     : pfn 0                soft-dirty 1 file/shared 1 swapped 0 present 1 library [vdso]
0x7ffe249cd000     : pfn 0                soft-dirty 1 file/shared 0 swapped 0 present 0 library [vdso]

Dove sarà la mia stringa "segreta" situata nello stack? Quale indirizzo fisico dovrei provare?

Grazie,

    
posta android_dev 09.01.2018 - 10:33
fonte

1 risposta

3

Su Linux, la metà del kernel dello spazio degli indirizzi (tutti gli indirizzi sopra 0x8000000000000000) è costante tra le applicazioni. Se utilizzi grep per trovare l'indirizzo della tabella delle chiamate di sistema, quell'indirizzo sarà ancora valido quando poc cercherà il suo contenuto.

La metà utente dello spazio degli indirizzi, d'altra parte, è unica per ogni processo. Se punti poc a 0x7ffc9098b780, stai chiedendo di ottenere il contenuto di poc di 0x7ffc9098b780, non pass di 0x7ffc9098b780.

Se vuoi usare Meltdown per leggere il contenuto della memoria di pass , sarà molto più complicato del proof-of-concept del giocattolo che hai trovato. Dovrai capire quale indirizzo di memoria fisica corrisponde all'indirizzo virtuale pass 0x7ffc9098b780 , cercare la mappatura del kernel dello spazio degli indirizzi fisico, quindi leggere la parte appropriata della memoria fisica.

    
risposta data 09.01.2018 - 10:49
fonte

Leggi altre domande sui tag