[Dailydave] The sky's downward trajectory

[ol at uncon.org]

The other thing to consider are those trampolines which have naturally (?)
occuring NOP sleds in front of them.

Cheers

Ollie
----- Original Message ----- 
From: "don bailey" <don.bailey at gmail.com>
To: <dailydave at lists.immunitysec.com>
Sent: Thursday, February 22, 2007 7:58 PM
Subject: Re: [Dailydave] The sky's downward trajectory


> So, just out of curiosity I thought it might be interesting to see how
> often the average trampoline occurs in a given text segment. I wrote
> a little program to scan through a given ELF file looking for specific
> patterns:
> call *eax 0xff 0xd0
> jmpl *eax 0xff 0xe0
> call *ebx 0xff 0xd3
> jmpl *ebx 0xff 0xe3
> ...
> and so on using all user-land visible general registers
> excluding segment selectors and eip
>
> The results are somewhat expected:
>
> snow at seahorse $ ./ffrr /usr/lib/libX11.so.6.2.0
> mapped 1006380 bytes of "/usr/lib/libX11.so.6.2.0"
> found ".text" at sh_offset=14aa0
> segment size=602136
> found 318 eax
> found 3 ebx
> found 26 ecx
> found 76 edx
> found 0 ebp
> found 0 esp
> found 3 edi
> found 7 esi
> total=433 call/jmpl trampolines, 0.071911%
>
> So, we have about the same chance of hitting a random address in a
> mapped library as we have of winning a texas hold`em hand when we
> need to fill up on the river and someone else already has a flush.
>
> However, things get more interesting when you have a range of
> addresses with these trampolines more concentrated. As you can
> see above, 318 "[call|jmpl] *%eax" is a pretty nice number if
> you can find a large concentration in one or two pages. Then,
> if you can find a way to target that range through the limitations
> of the Windows ASLR implementation, you have great odds of catching
> the nuts.
>
> Don Bailey
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>