We present new techniques that allow a return-into-libc attack to
be mounted on x86 executables that calls no functions at all.
Our attack combines a large number of short instruction sequences
to build gadgets that allow arbitrary computation. We show how
to discover such instruction sequences by means of static
analysis. We make use, in an essential way, of the properties of
the x86 instruction set.