Dear list, We are glad to announce the first public release of pmcma (Post Memory Corruption Memory Analyzer), a tool first presented at Blackhat US earlier this year. More information at http://www.pmcma.org/ . --[ Synopsis: Pmcma aims at automating exploitation of invalid memory writes (being them the consequences of an overflow in a writable section, of a missing format string, integer overflow, variable misuse, or any other type of memory corruption). This is typically usefull in determining if a given bug is a security vulnerability (if it is exploitable at all, and with which reliability). --[ What is it ? Pmcma is a tool aimed at determining if a given software bug is an exploitable vulnerability by automatically writting an exploit for it. Like every powerful tool made by human beings, it is double edged : it can be used for good or evil. --[ How does it work ? In a nutshell, pmcma is a ptrace based debugger, currently working on GNU/Linux x86 and x86_64 Intel cpus. The core innovation resides in the mk_fork() technique. Pmcma typically attaches to a given process, and waits until a segmentation fault occurs. It then injects a small shellcode inside this process to force it to fork a great number of times. In each of the offspring processes created (which are exact replicates of the original one in terms of mapping as well as state of its variables), it attempts to overwrite a different memory location with a canari value (such as 0xf1f2f3f4, which is typically a pointer to kernel land, and therefore not executable from userland), clears signals (effectively ignoring the segfault), and continues execution. If one of those processes happens to segfault again while trying to execute an address corresponding to the canari value, then we have found a function pointer. --[ Is this tool for me ? Pmcma has a wide range of applications, depending on your use of computer software. As an advanced user, you may experience software bugs in the form of crashes you are able to repeat and would like to report those bugs to software maintainers. Very often, sadly, they will not take your bug request very seriously untill you prove them it may have serious security implications. In this case, attaching a pmcma output to your bug report may convince them to fix the bug (or not, if pmcma rules it out as non exploitable ;) As a system administrator, you may find Proof of Concepts or even proper exploits disclosed in public places such as security mailing lists or security websites and wonder if your own systems would be affected by simple modifications of those public codes (that usually never work "as is" anywhere but on the computer of their author ;) As a software developper or maintainer, you may experience or be reported segmentation faults in your software. Pmcma helps you determine what is happening at assembly level and determine which bugs are in fact vulnerabilities and should be fixed first. As a computer security enthousiat, you may want to learn more about software exploitation and experiment. Way to go ! As a security expert or software hacker well vered in exploit writting, you may want to automate reverse engineering as much as possible to spend your time on what is specific to the particular exploit you are writting. As a script kiddie, you may have found a piece of code you don't understand on the internet, but are nonetheless decided to go to jail. In all those cases, and surely many others, Pmcma was probably made for you. --[ Supported platforms: Currently, pmcma is known to work on x86 and x86_64 intel cpus. Pmcma currently works on GNU/Linux as well as Android. It has been tested on several Ubuntu, Debian, Fedora and Gentoo distributions in both 32b and 64b. --[ Licensing: Pmcma is free software. It is licensed under the Apache 2.0 license. --[ Where do I get it ? The official home page of pmcma is : http://www.pmcma.org/ Thanks and regards, -- Jonathan Brossard
Attachment:
signature.asc
Description: OpenPGP digital signature