[Dailydave] The sky's downward trajectory
don bailey
don.bailey at gmail.com
Thu Feb 22 14:58:50 EST 2007
So, just out of curiosity I thought it might be interesting to see how
often the average trampoline occurs in a given text segment. I wrote
a little program to scan through a given ELF file looking for specific
patterns:
call *eax 0xff 0xd0
jmpl *eax 0xff 0xe0
call *ebx 0xff 0xd3
jmpl *ebx 0xff 0xe3
...
and so on using all user-land visible general registers
excluding segment selectors and eip
The results are somewhat expected:
snow at seahorse $ ./ffrr /usr/lib/libX11.so.6.2.0
mapped 1006380 bytes of "/usr/lib/libX11.so.6.2.0"
found ".text" at sh_offset=14aa0
segment size=602136
found 318 eax
found 3 ebx
found 26 ecx
found 76 edx
found 0 ebp
found 0 esp
found 3 edi
found 7 esi
total=433 call/jmpl trampolines, 0.071911%
So, we have about the same chance of hitting a random address in a
mapped library as we have of winning a texas hold`em hand when we
need to fill up on the river and someone else already has a flush.
However, things get more interesting when you have a range of
addresses with these trampolines more concentrated. As you can
see above, 318 "[call|jmpl] *%eax" is a pretty nice number if
you can find a large concentration in one or two pages. Then,
if you can find a way to target that range through the limitations
of the Windows ASLR implementation, you have great odds of catching
the nuts.
Don Bailey
More information about the Dailydave
mailing list