| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4E2AAF94.30200@halfdog.net> Date: Sat, 23 Jul 2011 11:25:08 +0000 From: halfdog <me@...fdog.net> To: Dan Rosenberg <dan.j.rosenberg@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Multipath-ROP: Tools available? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry for the noise, I forgot to place the files on the server. Now link is valid. I'm also currently adding analyzer support for mov 0xx(esp), %exx instructions, to see if that increase the number of usable targets found. halfdog wrote: > I tried to create a minimalistic implementation that still needs > massive manual work, but could be a start. If found a target sequence > in libc, so that 5 different library load offsets all lead to storage > of the library load offset in %ebp and jump of to the next de-aslred > address (only 4 out of 5, I'm to tired to do the 5th address also) - > currently all set to 0x41414141 for debugging. A better analyzer > could perhaps improve the number of targets and alternative execution > pathes. > > See > http://www.halfdog.net/Security/2011/ReturnOrientedProgrammingTechniques/ - -- > http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFOKq8xxFmThv7tq+4RAgzbAJ4nh6Jecfdmxpq9X6han2aZPGTl2QCghv5A pLSnFSJe8QI/v5LUtcbKn+c= =+69z -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists