shadow exploit does not work
AssoGu opened this issue · comments
hey, the shadow exploits does not work for me..
"leak" running for more then 2 days but it does not leak anything..
i trying to use the exploit on i7 6800k , mds mitigations off , updated microcode and last version of ubuntu.
lscpu:
Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 12 On-line CPU(s) list: 0-11 Thread(s) per core: 2 Core(s) per socket: 6 Socket(s): 1 NUMA node(s): 1 Vendor ID: GenuineIntel CPU family: 6 Model: 79 Model name: Intel(R) Core(TM) i7-6800K CPU @ 3.40GHz Stepping: 1 CPU MHz: 1200.384 CPU max MHz: 3800.0000 CPU min MHz: 1200.0000 BogoMIPS: 6800.68 Virtualization: VT-x L1d cache: 32K L1i cache: 32K L2 cache: 256K L3 cache: 15360K NUMA node0 CPU(s): 0-11 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 cdp_l3 invpcid_single intel_ppin ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cqm rdt_a rdseed adx smap intel_pt xsaveopt cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts md_clear flush_l1d
Make sure to set the right logical core IDs, such that they are co-located on the same physical core.
On an i7-6700K (4 core), it works with the following settings:
./passwd 1
taskset -c 5 ./leak
On your system, I would expect it to be something like (you can check the topology in /proc/cpuinfo):
./passwd 1
taskset -c 7 ./leak
I doubled checked that and they are running on the same core.
unfortunately, it is still not working.
there is a chance that i7 6800k is not vulnerable?
thanks!
The i7-6800k is Broadwell-E so pre-Skylake, probably the two-loads optimization doesn't work. Maybe we can make that optional, it won't be as fast but it should still work fine.
hey again, I managed to run your PoC succesfuly .
I had to change in leak.c one of the definition from #define DEFAULT_URL "root:$6" to #define DEFAULT_URL "root:!"
it seems that in my machine the shadow file format are bit different.
thanks!