Research and Development

smaSHeM is a System V shared memory segment manipulator.

Key features

  • Allows dumping of segments in a variety of formats including JPEGs
  • Allows patching of segments

Overview

System V shared memory segments created with shmget() are assigned an owner, a group and a set of permissions intended to limit access to the segment to designated processes only. The owner of a shared memory segment can change the ownership and permissions on a segment after its creation using shmctl(). Any subsequent processes that wish to attach to the segment can only do so if they have the appropriate permissions. Once attached, the process can read or write to the segment, as per the permissions that were set when the segment was created.

smaSHeM takes advantage of applications that set weak permissions on such segments, allowing an attacker to dump or patch their contents. As discussed in my presentation at 44CON 2013 entitled “I miss LSD“, in the case of many X11 applications it is possible to extract pixmaps of previously rendered GUI artifacts. When compiled with QtCore linking enabled, smaSHeM aids in that process by brute forcing potentially valid dimensions for the raw pixmap dump.

Installation

$ ./configure [--with-qtcore] && make && make install

Usage

$ smaSHeM -v | -i <shmemid> -l <shmemlength> <-@ <patchoffset> -s <patchstring> | -d [-p | -c | -P | -j -x <xstart> -X <endx> -y <starty> -Y <yend>]>

Examples

Dumping the contents of a System V shared memory segment prettily:

$ smaSHeM -i 94273546 -l 459200 -d -P
0xf32fa000      00 00 00 00 1a 1a 1a 1a ........
0xf32fa008      7d 7d 7d 7d a7 a7 a7 a7 ........
0xf32fa010      af af af af af af af af ........
0xf32fa018      af af af af af af af af ........
0xf32fa020      af af af af af af af af ........
0xf32fa028      af af af af af af af af ........
0xf32fa030      af af af af af af af af ........
0xf32fa038      af af af af af af af af ........
0xf32fa040      af af af af af af af af ........
0xf32fa048      af af af af af af af af ........
0xf32fa050      af af af af af af af af ........
0xf32fa058      af af af af af af af af ........
0xf32fa060      af af af af af af af af ........
0xf32fa068      af af af af af af af af ........
0xf32fa070      af af af af af af af af ........
0xf32fa078      af af af af af af af af ........
...

Patching a segment:

$ smaSHeM -i 41779331 -l 2640 -@ 0 -s `perl -e 'print "A"x1024'`

Dumping the contents of a segment as a set of JPEGs with dimensions 0-300×30 (required QtCore):

$ smaSHeM -i 41779331 -l 2640 -d -J -x 0 -X 300 -y 30 -Y 30
SmaSHeM-0.4 Tar
smaSHeM-0.4.tar.gz
November 12, 2013
210.0 KiB
MD5 hash: 2e30e4edd2faf5946b6c0e1a244fd0ba
Details

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)