-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry for the noise, I forgot to place the files on the server. Now link is valid.
I'm also currently adding analyzer support for mov 0xx(esp), %exx instructions, to see if that increase the number of usable targets found. halfdog wrote: > I tried to create a minimalistic implementation that still needs > massive manual work, but could be a start. If found a target sequence > in libc, so that 5 different library load offsets all lead to storage > of the library load offset in %ebp and jump of to the next de-aslred > address (only 4 out of 5, I'm to tired to do the 5th address also) - > currently all set to 0x41414141 for debugging. A better analyzer > could perhaps improve the number of targets and alternative execution > pathes. > > See > http://www.halfdog.net/Security/2011/ReturnOrientedProgrammingTechniques/ - -- > http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFOKq8xxFmThv7tq+4RAgzbAJ4nh6Jecfdmxpq9X6han2aZPGTl2QCghv5A pLSnFSJe8QI/v5LUtcbKn+c= =+69z -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/