lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4E60265B.503@gmail.com>
Date: Fri, 02 Sep 2011 02:42:03 +0200
From: Jonathan Brossard <endrazine@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Post Memory Corruption Memory Analysis #Exploit
	#Automation #BlackhatUS

Dear list,

We are glad to announce the first public release of pmcma (Post Memory
Corruption Memory Analyzer), a tool first presented at Blackhat US
earlier this year. More information at http://www.pmcma.org/ .


--[ Synopsis:

  Pmcma aims at automating exploitation of invalid memory writes (being
  them the consequences of an overflow in a writable section, of a
  missing format string, integer overflow, variable misuse, or any
  other type of memory corruption).

  This is typically usefull in determining if a given bug is a security
  vulnerability (if it is exploitable at all, and with which
  reliability).


--[ What is it ?

  Pmcma is a tool aimed at determining if a given software bug
  is an exploitable vulnerability by automatically writting an
  exploit for it.

  Like every powerful tool made by human beings, it is double
  edged : it can be used for good or evil.


--[ How does it work ?

  In a nutshell, pmcma is a ptrace based debugger, currently working on
  GNU/Linux x86 and x86_64 Intel cpus. The core innovation resides in
  the mk_fork() technique. Pmcma typically attaches to a given process,
  and waits until a segmentation fault occurs. It then injects a small
  shellcode inside this process to force it to fork a great number of
  times. In each of the offspring processes created (which are exact
  replicates of the original one in terms of mapping as well as state of
  its variables), it attempts to overwrite a different memory location
  with a canari value (such as 0xf1f2f3f4, which is typically a pointer
  to kernel land, and therefore not executable from userland), clears
  signals (effectively ignoring the segfault), and continues execution.
  If one of those processes happens to segfault again while trying to
  execute an address corresponding to the canari value, then we have
  found a function pointer.


--[ Is this tool for me ?

  Pmcma has a wide range of applications, depending on your use
  of computer software.

  As an advanced user, you may experience software bugs in the form
  of crashes you are able to repeat and would like to report those
  bugs to software maintainers. Very often, sadly, they will not
  take your bug request very seriously untill you prove them it may
  have serious security implications. In this case, attaching a
  pmcma output to your bug report may convince them to fix the bug
  (or not, if pmcma rules it out as non exploitable ;)

  As a system administrator, you may find Proof of Concepts or even
  proper exploits disclosed in public places such as security mailing
  lists or security websites and wonder if your own systems would be
  affected by simple modifications of those public codes (that usually
  never work "as is" anywhere but on the computer of their author ;)

  As a software developper or maintainer, you may experience or be
  reported segmentation faults in your software. Pmcma helps you
  determine what is happening at assembly level and determine which
  bugs are in fact vulnerabilities and should be fixed first.

  As a computer security enthousiat, you may want to learn more about
  software exploitation and experiment. Way to go !

  As a security expert or software hacker well vered in exploit
  writting,
  you may want to automate reverse engineering as much as possible to
  spend your time on what is specific to the particular exploit you are
  writting.

  As a script kiddie, you may have found a piece of code you don't
  understand on the internet, but are nonetheless decided to go to jail.


  In all those cases, and surely many others, Pmcma was probably made
  for you.


 --[ Supported platforms:

  Currently, pmcma is known to work on x86 and x86_64 intel cpus.
  Pmcma currently works on GNU/Linux as well as Android.
  It has been tested on several Ubuntu, Debian, Fedora and Gentoo
  distributions in both 32b and 64b.


--[ Licensing:

  Pmcma is free software. It is licensed under the Apache 2.0 license.


--[ Where do I get it ?

  The official home page of pmcma is : http://www.pmcma.org/



Thanks and regards,


-- 
Jonathan Brossard



Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ