#!/usr/bin/env python

"""
This is the usual method to achieve remote code execution from
a stack overflow vulnerability.

Once the function returns, this value will become the EIP register.
The results of this scan will be used as trampolines to direct
execution of the target process into another register pointing to
your shellcode.

Rhys Kidd <rhyskidd@gmail.com> (c) 2007
"""
import immlib
from immutils import *

DESC="""Finds suitable addresses to overwrite the saved return address."""

def usage(imm):
    imm.Log("!findtrampoline   Find a suitable trampoline to the chosen register")
    imm.Log("!findtrampoline   <register>")
    imm.Log("ex: !findtrampoline ESP")

def main(args): 
    imm = immlib.Debugger()
    if len(args) !=1:
        usage(imm)
        return "Error: Wrong arguments"

    results = []
    opcode = [ "jmp %s" % args[0], "call %s" % args[0], "push %s\nret" % args[0], "push %s\nretn" % args[0] ]

    for op in opcode:
        addys= imm.searchCommands(op)
        results += addys           
    for result in results:
        imm.Log( "Found! %s in module %s" % (result[1],result[2]), address=result[0] )           

    return "Found %d trampoline(s)" % len(results)