Exploiting invalid memory writes with Pmcma

[Jonathan Brossard <endrazine () gmail com>]

Dear List, dear Dave,

We are happy to announce the first release of pmcma (Post Memory
Corruption Memory Analyzer), a tool presented at the Blackhat US 2011
conference last August.

Its goal is to help exploit automation of memory corruptions.

Currently, it has one distinctive features : it can largely automate
exploitation of invalid memory writes (being them atomic, such as in the
case of missing format strings), or overwrites in writable sections (in
any section but the stack).

Unlike other research in exploit automation discussed earlier this year
on this list, pmcma was designed to take into account the presence of
all modern security protections, such as static relocations, non
executable sections, and address space layer randomization.

In a nutshell, pmcma is a ptrace based debugger, currently working on
GNU/Linux x86 and x86_64 Intel cpus. The core innovation resides in the
mk_fork() technique. Pmcma typically attaches to a given process, and
waits until a segmentation fault occurs. It then injects a small
shellcode inside this process to force it to fork a great number of
times. In each of the offspring processes created (which are exact
replicates of the original one in terms of mapping as well as state of
its variables), it attempts to overwrite a different memory location
with a canari value (such as 0xf1f2f3f4, which is typically a pointer to
kernel land, and therefore not executable from userland), clears signals
(effectively ignoring the segfault), and continues execution. If one of
those processes happens to segfault again while trying to execute an
address corresponding to the canari value, then we have found a function
pointer.

Of course, there is a lot more to it, and a whole 30+ pages whitepaper
is available at : http://www.pmcma.org/resources/ . This methodology is
far better than any existing one when looking for function pointers : it
has virtually no false positives as well as no false negatives ! And it
is also very resources efficiant, thanks to the use of copy on write and
an elaborated handling of zombie processes.

The tool is released as free software (under the terms of the Apache 2.0
license) at address : http://www.pmcma.org/ .

We hope to see the tool hacked to implement new features and
exploitation techniques. To encourage this, as well as bug fixing, the
current version of pmcma can be found on github. For the lazzy or
impatient ones, precompiled binaries for both 32b and 64b platforms are
available here : http://www.pmcma.org/downloads-2/

Have a great day,

-- 
Jonathan Brossard

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave