├── README.md ├── LICENSE └── meltdown.c /README.md: -------------------------------------------------------------------------------- 1 | # Meltdown 2 | Meltdown PoC for reading passwords from Google Chrome. 3 | 4 | FOR EDUCATIONAL AND INFORMATIONAL PURPOSES ONLY. 5 | 6 | I am not responsible for any loss or damages from the use of this in any way. 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /meltdown.c: -------------------------------------------------------------------------------- 1 | /* --------------------------------------------------------------------- 2 | * 3 | * DISCLAIMER 4 | * 5 | * --------------------------------------------------------------------- 6 | * 7 | * Author takes no responsibility for any actions with provided 8 | * informations or codes. 9 | * 10 | * --------------------------------------------------------------------- 11 | * 12 | * Speculative optimizations execute code in a non-secure manner leaving 13 | * data traces in microarchitecture such as cache. 14 | * 15 | * Refer to the paper by Lipp et. al 2017 for details: 16 | * https://meltdownattack.com/meltdown.pdf. 17 | * 18 | * --------------------------------------------------------------------- 19 | * 20 | * Exploited by BuddasLittleFinger 21 | * 22 | * Tested on: 23 | * 24 | * Ubuntu 16.04 25 | * CentOS 7.2 26 | * 27 | * Kudos for: 28 | * Vasyan, Mews, Laurent Pootie(cat) and all the mates i know, peace. 29 | * Special kudos for Zhabka for testing this shit. 30 | * 31 | */ 32 | 33 | 34 | #define _GNU_SOURCE 35 | #define _XOPEN_SOURCE 36 | 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | 45 | #include 46 | 47 | // #define DEBUG 1 48 | 49 | /* comment out if getting illegal insctructions error */ 50 | 51 | #ifndef HAVE_RDTSCP 52 | #define HAVE_RDTSCP 1 53 | #endif 54 | 55 | 56 | #define TARGET_OFFSET 9 57 | #define TARGET_SIZE (1 << TARGET_OFFSET) 58 | #define BITS_BY_READ 2 59 | 60 | 61 | static char target_array[BITS_BY_READ * TARGET_SIZE]; 62 | 63 | 64 | void clflush_target(void) 65 | { 66 | int i; 67 | 68 | for (i = 0; i < BITS_BY_READ; i++) 69 | _mm_clflush(&target_array[i * TARGET_SIZE]); 70 | } 71 | 72 | 73 | const char * array[] = { 74 | "We're no strangers to code", 75 | "You know the rules and so do I", 76 | "A full commit's what I'm thinking of", 77 | "You wouldn't get this from any other script", 78 | "", 79 | "I just wanna tell you what I am coding", 80 | "Gotta make you understand", 81 | "", 82 | "Never gonna scare you up", 83 | "Never gonna melt you down", 84 | "Never gonna bug around and hack you", 85 | "Never make you wanna cry", 86 | "Never gonna say deny", 87 | "Never gonna let a pipeline hurt you", 88 | "", 89 | "We've known each other for so long", 90 | "Your memory's been hiding and you're too shy to dump it", 91 | "Inside we both know what's been going on", 92 | "We know the game and we're gonna play it", 93 | "", 94 | "And if you ask me what's my spectre", 95 | "Don't tell me you have branch prediction", 96 | "", 97 | "Never gonna scare you up", 98 | "Never gonna melt you down", 99 | "Never gonna bug around and hack you", 100 | "Never make you wanna cry", 101 | "Never gonna say deny", 102 | "Never gonna let a pipeline hurt you", 103 | "Never gonna scare you up", 104 | "Never gonna melt you down", 105 | "Never gonna bug around and hack you", 106 | "Never make you wanna cry", 107 | "Never gonna say deny", 108 | "Never gonna let a pipeline hurt you", 109 | "", 110 | "Never gonna scare, never gonna scare", 111 | "(Scare you up)", 112 | "(Ooh) Never gonna melt, never gonna melt", 113 | "(Melt you down)", 114 | "", 115 | "We've known each other for so long", 116 | "Your memory's been hiding and you're too shy to dump it", 117 | "Inside we both know what's been going on", 118 | "We know the game and we're gonna play it", 119 | "", 120 | "I just wanna tell you what I am coding", 121 | "Gotta make you understand", 122 | "", 123 | "Never gonna scare you up", 124 | "Never gonna melt you down", 125 | "Never gonna bug around and hack you", 126 | "Never make you wanna cry", 127 | "Never gonna say deny", 128 | "Never gonna let a pipeline hurt you", 129 | "Never gonna scare you up", 130 | "Never gonna melt you down", 131 | "Never gonna bug around and hack you", 132 | "Never make you wanna cry", 133 | "Never gonna say deny", 134 | "Never gonna let a pipeline hurt you", 135 | "Never gonna scare you up", 136 | "Never gonna melt you down", 137 | "Never gonna bug around and hack you", 138 | "Never make you wanna cry", 139 | }; 140 | 141 | #define n_array (sizeof (array) / sizeof (const char *)) 142 | 143 | int main(int argc, char *argv[]) 144 | { 145 | int i; 146 | 147 | for (i = 0; i < n_array; i++) { 148 | printf ("%s\n", array[i]); 149 | fflush(stdout); 150 | usleep(100000); 151 | } 152 | return 0; 153 | } 154 | --------------------------------------------------------------------------------