Re: The sky's downward trajectory

[don bailey <don.bailey () gmail com>]

ol () uncon org wrote:
> The other thing to consider are those trampolines which have naturally (?)
> occuring NOP sleds in front of them.
>   

I agreed with you, so I rewrote my little ffrr application. Now it looks 
for nops
prefixed to a trampoline and notifies you of the number of trampoline 
hits in a
given page including nops.

I thought the number of nops found would be somewhat decent relative to the
average number of trampolines, but... after running ffrr on the entire 
/lib and
/usr/lib tree on my Linux laptop I found only 8 libraries that even 
contained
trampolines with nops prefixing them. Out of the 8 libraries, only one had a
significant amount of nops: libXt. Everything else only had one or two
trampolines prefixed by one nop.

I had to constrain my concept of "nop" to 0x90. For each trampoline, I 
tested
the prior 8 octets descending from address T-1, where T represents the 
address
of a given trampoline.

The reason for constraining the nop to 0x90 is fairly simple. We have to 
assume
that any operation prior to the trampoline that manipulates memory may 
possibly
trash our shell code. Obviously, this wouldn't always be the case, but 
we can't make
assumptions about where our shell code resides. Second, if a register is 
changed, it
clearly can't be the same register we use in the trampoline. So, if your 
trampoline is
"call *%eax", you can use, say, "xorl" on any register operands except 
%eax, %ah,
and %al. The process for testing for all this crap is more than I care 
to handle here.

The bright side is that using ffrr we can now see the concentration of 
trampolines per
page. This is pretty illuminating. On Linux, libc.so.6 is pretty scarce 
all around, but
libc.so.5 is a gold mine (relative to what we have to consider a 
trampoline gold mine).

If you're interested in the metrics, snag the code here:
http://kernelspace.us/ffrr.c

Someone write the code for Windows binaries.

As an example, here is the result of running ffrr on a default 
installation of FreeBSD
6.2-RELEASE:

It should be noted that when the total number of trampolines is printed, 
ffrr is
displaying the "native" total, which doesn't include nops. Further down, 
when a
per-page summary is listed, each trampoline per page is a display of the 
total
number of addresses you can land on to trigger a trampoline. This 
clearly includes
prefixed nops.

[snow@guppy ~/ffrr]$ ./ffrr /lib/libcrypto.so.4
ffrr: found .text at 32d70, 584124 bytes
ffrr: found 277 trampolines: 0.05% of 584124
ffrr: searching for trampolines prefixed by a nop
ffrr: bounce "call %eax",395112 is prefixed by 1 nops
ffrr: ...displaying total by page, including nops
ffrr: 2 trampolines in page 1: 0.05%
ffrr: 1 trampolines in page 4: 0.02%
ffrr: 6 trampolines in page 15: 0.15%
ffrr: 2 trampolines in page 17: 0.05%
ffrr: 2 trampolines in page 18: 0.05%
ffrr: 1 trampolines in page 23: 0.02%
ffrr: 2 trampolines in page 28: 0.05%
ffrr: 2 trampolines in page 29: 0.05%
ffrr: 3 trampolines in page 30: 0.07%
ffrr: 11 trampolines in page 32: 0.27%
ffrr: 1 trampolines in page 33: 0.02%
ffrr: 1 trampolines in page 36: 0.02%
ffrr: 2 trampolines in page 37: 0.05%
ffrr: 5 trampolines in page 38: 0.12%
ffrr: 1 trampolines in page 41: 0.02%
ffrr: 1 trampolines in page 44: 0.02%
ffrr: 3 trampolines in page 47: 0.07%
ffrr: 3 trampolines in page 48: 0.07%
ffrr: 5 trampolines in page 49: 0.12%
ffrr: 3 trampolines in page 50: 0.07%
ffrr: 27 trampolines in page 52: 0.66%
ffrr: 6 trampolines in page 53: 0.15%
ffrr: 4 trampolines in page 54: 0.10%
ffrr: 7 trampolines in page 55: 0.17%
ffrr: 5 trampolines in page 56: 0.12%
ffrr: 1 trampolines in page 58: 0.02%
ffrr: 1 trampolines in page 59: 0.02%
ffrr: 1 trampolines in page 65: 0.02%
ffrr: 2 trampolines in page 66: 0.05%
ffrr: 2 trampolines in page 70: 0.05%
ffrr: 1 trampolines in page 71: 0.02%
ffrr: 1 trampolines in page 72: 0.02%
ffrr: 1 trampolines in page 73: 0.02%
ffrr: 1 trampolines in page 74: 0.02%
ffrr: 2 trampolines in page 76: 0.05%
ffrr: 3 trampolines in page 79: 0.07%
ffrr: 1 trampolines in page 83: 0.02%
ffrr: 4 trampolines in page 84: 0.10%
ffrr: 2 trampolines in page 85: 0.05%
ffrr: 2 trampolines in page 91: 0.05%
ffrr: 6 trampolines in page 93: 0.15%
ffrr: 1 trampolines in page 95: 0.02%
ffrr: 7 trampolines in page 96: 0.17%
ffrr: 1 trampolines in page 97: 0.02%
ffrr: 3 trampolines in page 99: 0.07%
ffrr: 3 trampolines in page 100: 0.07%
ffrr: 5 trampolines in page 101: 0.12%
ffrr: 1 trampolines in page 104: 0.02%
ffrr: 7 trampolines in page 105: 0.17%
ffrr: 3 trampolines in page 108: 0.07%
ffrr: 3 trampolines in page 112: 0.07%
ffrr: 3 trampolines in page 113: 0.07%
ffrr: 19 trampolines in page 117: 0.46%
ffrr: 18 trampolines in page 118: 0.44%
ffrr: 1 trampolines in page 123: 0.02%
ffrr: 8 trampolines in page 124: 0.20%
ffrr: 2 trampolines in page 126: 0.05%
ffrr: 1 trampolines in page 127: 0.02%
ffrr: 1 trampolines in page 128: 0.02%
ffrr: 3 trampolines in page 130: 0.07%
ffrr: 7 trampolines in page 131: 0.17%
ffrr: 5 trampolines in page 132: 0.12%
ffrr: 1 trampolines in page 133: 0.02%
ffrr: 15 trampolines in page 134: 0.37%
ffrr: 1 trampolines in page 135: 0.02%
ffrr: 3 trampolines in page 136: 0.07%
ffrr: 2 trampolines in page 138: 0.05%
ffrr: 1 trampolines in page 139: 0.02%
ffrr: 1 trampolines in page 141: 0.02%
ffrr: 15 trampolines in page 142: 0.37%
[snow@guppy ~/ffrr]$


Don Bailey

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave