During the past few days I saw people complaining about Stack Overflow. The main argument was that Stack based overflow is the perfect way to control the program execution BUT not so common as it was in the past. I totally agree with this argument. Nowadays the most common overflows are in the memory HEAP. So the question comes easy: how can I control the attacked program control flow if I control the HEAP ? The answer is int he "stack pivoting" techniques.
The goal of these techniques is to put ESP to the attacker controlled memory area. There are many ways to perform stack pivoting but one of my favorite one is by using ROP gadgets:
- mov %esp, %eax // ret
- xchg %eax, %esp // ret
- add esp,
// ret
xchg exchanges values between two operands and it's pretty common to find out into "ropped libraries" after all.
Summing up, this post is about telling you a simple ROP sequence useful to pivoting your stack (pointer).
