-
Notifications
You must be signed in to change notification settings - Fork 1
/
copycode_leakage.gdbcommands
57 lines (45 loc) · 1.52 KB
/
copycode_leakage.gdbcommands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# load native .so which contains code for copycode()
set $soaddr = (void*) dlopen("./copycode.so", 2)
add-symbol-file "./copycode.so" $soaddr
# get address of fread()
set $freadaddr = (char*) &'guest_func_fread'
set $ftrainaddr = (char*) &'guest_func_ftrain'
# patch noopfunc call to flush
set $flushaddr= $freadaddr + 108
# clflush
print *($flushaddr + 0) = 0x0f
print *($flushaddr + 1) = 0xae
print *($flushaddr + 2) = 0x3d
# rip relative disp
print *($flushaddr + 3) = 0x32
print *($flushaddr + 4) = 0x00
print *($flushaddr + 5) = 0x00
print *($flushaddr + 6) = 0x00
# padding
print *($flushaddr + 7) = 0x66
print *($flushaddr + 8) = 0x0f
print *($flushaddr + 9) = 0x1f
print *($flushaddr + 10) = 0x84
print *($flushaddr + 11) = 0x00
print *($flushaddr + 12) = 0x00
print *($flushaddr + 13) = 0x00
print *($flushaddr + 14) = 0x00
print *($flushaddr + 15) = 0x00
print *($flushaddr + 16) = 0x0f
print *($flushaddr + 17) = 0x1f
print *($flushaddr + 18) = 0x44
print *($flushaddr + 19) = 0x00
print *($flushaddr + 20) = 0x00
# get address of target function
set $targetaddr = (void*)((uint64_t)$ftrainaddr ^ ((uint64_t)1 << (uint64_t)32))
# call copycode with appropriate arguments
set $ret = (int) copycode($targetaddr, $freadaddr, 1000)
# ensure result was 0
if $ret != 0
print "!!!!!!! Error performing copycode !!!!!!!"
end
# patch fread call in wasm indirect function table to use the copied version
set $functable = (char*) &'guest_table_0'
set $functablerow = (char**)($functable + (1 << 4) + 0x8)
p *($functablerow) = $targetaddr
finish