[ebeip90]

This isn't very useful, and has some pretty obvious design flaws.

Given any routine which ends with the very common pattern:

    return foo();

Which is assembled to the very common sequence:

    call foo
    leave
    ret

This project will instrument it to now look like:

    call foo
    jmp $+2
    .byte DE, AD
    leave
    ret

Whatever return address I hijack, I can now just point it at this valid return site, and begin my ROP stack as per normal.

What's especially great is that the project guarantees this pattern for us. Now, every function has a path that looks like:

    call __stack_chk_fail
    jmp $+2
    .byte DE, AD
    < function frame cleanup >
    ret

This is effectively a no-op for security.

I cleaned up the author's code, added a sane makefile, and an example exploit here: https://github.com/zachriggle/return-to-abort

(Pull Request: https://github.com/cjdelisle/return-to-abort/pull/1)