mvanotti/infoleak.cc

## infoleak.cc
#include <assert.h>
#include <limits.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

uint64_t g_addr;

int g_last_code = INT_MIN;
uint64_t g_last_err = UINT64_MAX;

const char *si_code2str(int si_code) {
  switch (si_code) {
  case SEGV_MAPERR:
    return "SEGV_MAPERR";
  case SEGV_ACCERR:
    return "SEGV_ACCERR";
  case SEGV_BNDERR:
    return "SEGV_BNDERR";
  case SEGV_PKUERR:
    return "SEGV_PKUERR";
  default:
    __builtin_trap();
  }
}

void handler(int sig, siginfo_t *info, void *ucontext) {
  ucontext_t *uc = (ucontext_t *)ucontext;

  g_addr += 0x1000;
  uc->uc_mcontext.gregs[REG_RAX] = g_addr;

  uint64_t reg_err = uc->uc_mcontext.gregs[REG_ERR];
  int code = info->si_code;

  if (reg_err != g_last_err || code != g_last_code) {
    g_last_code = code;
    g_last_err = reg_err;
    /* Do something useful with siginfo_t */
    fprintf(stderr,
            "[!] signal %d, fault @ %p, "
            "errno: 0x%x, code: %s, reg_err: 0x%016lx\n",
            sig, info->si_addr, info->si_errno, si_code2str(code), reg_err);
  }
}

void read_access(uint64_t addr) {
  g_addr = addr;
  __asm__ volatile("movq %0, %%rax\n"
                   "movq (%%rax), %%rdi\n" ::"r"(addr)
                   : "rax", "rdi");
}

void write_access(uint64_t addr) {
  g_addr = addr;
  __asm__ volatile("movq %0, %%rax\n"
                   "movq %%rdi, (%%rax)\n" ::"r"(addr)
                   : "rax", "rdi");
}

int main(int argc, char **argv) {
  struct sigaction sa;

  if (argc != 2) {
    fprintf(stderr, "usage: %s addr-in-hex\n", argv[0]);
    exit(EXIT_FAILURE);
  }
  uint64_t addr = (uint64_t)strtoull(argv[1], NULL, 16);

  sa.sa_sigaction = handler;
  sigemptyset(&sa.sa_mask);
  sa.sa_flags = SA_RESTART | SA_SIGINFO;

  sigaction(SIGSEGV, &sa, NULL);

  write_access(addr);
  fprintf(stderr, "[#] done, found addr: 0x%016lx\n", g_addr);

  return 0;
}
	#include <assert.h>
	#include <limits.h>
	#include <signal.h>
	#include <stdint.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>

	uint64_t g_addr;

	int g_last_code = INT_MIN;
	uint64_t g_last_err = UINT64_MAX;

	const char *si_code2str(int si_code) {
	switch (si_code) {
	case SEGV_MAPERR:
	return "SEGV_MAPERR";
	case SEGV_ACCERR:
	return "SEGV_ACCERR";
	case SEGV_BNDERR:
	return "SEGV_BNDERR";
	case SEGV_PKUERR:
	return "SEGV_PKUERR";
	default:
	__builtin_trap();
	}
	}

	void handler(int sig, siginfo_t info, void ucontext) {
	ucontext_t uc = (ucontext_t )ucontext;

	g_addr += 0x1000;
	uc->uc_mcontext.gregs[REG_RAX] = g_addr;

	uint64_t reg_err = uc->uc_mcontext.gregs[REG_ERR];
	int code = info->si_code;

	if (reg_err != g_last_err \|\| code != g_last_code) {
	g_last_code = code;
	g_last_err = reg_err;
	/* Do something useful with siginfo_t */
	fprintf(stderr,
	"[!] signal %d, fault @ %p, "
	"errno: 0x%x, code: %s, reg_err: 0x%016lx\n",
	sig, info->si_addr, info->si_errno, si_code2str(code), reg_err);
	}
	}

	void read_access(uint64_t addr) {
	g_addr = addr;
	__asm__ volatile("movq %0, %%rax\n"
	"movq (%%rax), %%rdi\n" ::"r"(addr)
	: "rax", "rdi");
	}

	void write_access(uint64_t addr) {
	g_addr = addr;
	__asm__ volatile("movq %0, %%rax\n"
	"movq %%rdi, (%%rax)\n" ::"r"(addr)
	: "rax", "rdi");
	}

	int main(int argc, char **argv) {
	struct sigaction sa;

	if (argc != 2) {
	fprintf(stderr, "usage: %s addr-in-hex\n", argv[0]);
	exit(EXIT_FAILURE);
	}
	uint64_t addr = (uint64_t)strtoull(argv[1], NULL, 16);

	sa.sa_sigaction = handler;
	sigemptyset(&sa.sa_mask);
	sa.sa_flags = SA_RESTART \| SA_SIGINFO;

	sigaction(SIGSEGV, &sa, NULL);

	write_access(addr);
	fprintf(stderr, "[#] done, found addr: 0x%016lx\n", g_addr);

	return 0;
	}