« BackExploiting DRAM bitflips to get a root shellbsky.appSubmitted by goranmoomin 5 hours ago
  • azalemeth 22 minutes ago

    Yet again, I wish we all had ECC ram!

    Here's the code: https://github.com/DavidBuchanan314/dram_emfi/blob/main/linu... -- the basic idea is

    > Hardware setup: This time I put the "antenna" wire on DQ25, which will fault 64-bit values to +/-32MiB

    > Exploit strat: We fill up as much of physical memory as possible with page tables.

    > When we fault a PTE read, we have a good chance of landing on a page table, giving us R/W access to a page table from userspace.

    • dan_linder 2 hours ago

      So if we don't have the addition of the antenna wire, is the usual case shielding sufficient or do we just need larger/intense pulses, more of them, or somewhere in between? is like to try this at home, but not if I have to solder a wire on the already small RAM traces.

      • yonatan8070 an hour ago

        If you try it on a desktop system, the RAM is likely going to be in through-hole DIMM slots, so the soldering will be a lot more managable than in a laptop

      • sans_souse 4 hours ago

        This is some low level hacking right here

        • CTDOCodebases an hour ago

          I remember kids using these things into Street Fighter II machines to get free credits.

          • ano-ther 3 hours ago

            Impressive! And a music track like that should be standard for all progress bars.

            • backspace_ 4 hours ago

              Do I need a lighter or the matrix soundtrack to accomplish this hack.