Dailydave mailing list archives
Exploiting invalid memory writes with Pmcma
From: Jonathan Brossard <endrazine () gmail com>
Date: Fri, 02 Sep 2011 01:52:41 +0200
Dear List, dear Dave, We are happy to announce the first release of pmcma (Post Memory Corruption Memory Analyzer), a tool presented at the Blackhat US 2011 conference last August. Its goal is to help exploit automation of memory corruptions. Currently, it has one distinctive features : it can largely automate exploitation of invalid memory writes (being them atomic, such as in the case of missing format strings), or overwrites in writable sections (in any section but the stack). Unlike other research in exploit automation discussed earlier this year on this list, pmcma was designed to take into account the presence of all modern security protections, such as static relocations, non executable sections, and address space layer randomization. In a nutshell, pmcma is a ptrace based debugger, currently working on GNU/Linux x86 and x86_64 Intel cpus. The core innovation resides in the mk_fork() technique. Pmcma typically attaches to a given process, and waits until a segmentation fault occurs. It then injects a small shellcode inside this process to force it to fork a great number of times. In each of the offspring processes created (which are exact replicates of the original one in terms of mapping as well as state of its variables), it attempts to overwrite a different memory location with a canari value (such as 0xf1f2f3f4, which is typically a pointer to kernel land, and therefore not executable from userland), clears signals (effectively ignoring the segfault), and continues execution. If one of those processes happens to segfault again while trying to execute an address corresponding to the canari value, then we have found a function pointer. Of course, there is a lot more to it, and a whole 30+ pages whitepaper is available at : http://www.pmcma.org/resources/ . This methodology is far better than any existing one when looking for function pointers : it has virtually no false positives as well as no false negatives ! And it is also very resources efficiant, thanks to the use of copy on write and an elaborated handling of zombie processes. The tool is released as free software (under the terms of the Apache 2.0 license) at address : http://www.pmcma.org/ . We hope to see the tool hacked to implement new features and exploitation techniques. To encourage this, as well as bug fixing, the current version of pmcma can be found on github. For the lazzy or impatient ones, precompiled binaries for both 32b and 64b platforms are available here : http://www.pmcma.org/downloads-2/ Have a great day, -- Jonathan Brossard
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Exploiting invalid memory writes with Pmcma Jonathan Brossard (Sep 01)