Dailydave mailing list archives

Re: The sky's downward trajectory

From: <ol () uncon org>
Date: Fri, 23 Feb 2007 07:19:16 -0000

The other thing to consider are those trampolines which have naturally (?)
occuring NOP sleds in front of them.

Cheers

Ollie
----- Original Message ----- 
From: "don bailey" <don.bailey () gmail com>
To: <dailydave () lists immunitysec com>
Sent: Thursday, February 22, 2007 7:58 PM
Subject: Re: [Dailydave] The sky's downward trajectory

So, just out of curiosity I thought it might be interesting to see how
often the average trampoline occurs in a given text segment. I wrote
a little program to scan through a given ELF file looking for specific
patterns:
call *eax 0xff 0xd0
jmpl *eax 0xff 0xe0
call *ebx 0xff 0xd3
jmpl *ebx 0xff 0xe3
...
and so on using all user-land visible general registers
excluding segment selectors and eip

The results are somewhat expected:

snow@seahorse $ ./ffrr /usr/lib/libX11.so.6.2.0
mapped 1006380 bytes of "/usr/lib/libX11.so.6.2.0"
found ".text" at sh_offset=14aa0
segment size=602136
found 318 eax
found 3 ebx
found 26 ecx
found 76 edx
found 0 ebp
found 0 esp
found 3 edi
found 7 esi
total=433 call/jmpl trampolines, 0.071911%

So, we have about the same chance of hitting a random address in a
mapped library as we have of winning a texas hold`em hand when we
need to fill up on the river and someone else already has a flush.

However, things get more interesting when you have a range of
addresses with these trampolines more concentrated. As you can
see above, 318 "[call|jmpl] *%eax" is a pretty nice number if
you can find a large concentration in one or two pages. Then,
if you can find a way to target that range through the limitations
of the Windows ASLR implementation, you have great odds of catching
the nuts.

Don Bailey


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: The sky's downward trajectory, (continued)
- - - Re: The sky's downward trajectory Dominique Brezinski (Feb 20)
    - Re: The sky's downward trajectory ol (Feb 20)
    - Re: The sky's downward trajectory ol (Mar 03)
    - Re: The sky's downward trajectory jf (Feb 20)
    - Re: The sky's downward trajectory Jonathan Wilkins (Feb 19)
    - Re: The sky's downward trajectory Halvar Flake (Feb 20)
    - Re: The sky's downward trajectory Halvar Flake (Feb 20)
    - Re: The sky's downward trajectory Alexander Sotirov (Feb 20)
    - Re: The sky's downward trajectory don bailey (Feb 21)
    - Re: The sky's downward trajectory don bailey (Feb 22)
    - Re: The sky's downward trajectory ol (Feb 23)
    - Re: The sky's downward trajectory don bailey (Feb 26)
    - Re: The sky's downward trajectory Dave Aitel (Feb 19)